Description
An open redirection vulnerability in M-Files mobile applications for Android and iOS prior to version 25.6.0 allows attackers to use maliciously crafted PDF files to trick other users into making requests to untrusted URLs.
Affected products
M-Files Mobile iOS and Android applications before 25.6.0
More information
This vulnerability requires the attacker to be an authenticated user that can add content into the vault and user interaction from the victim. CVSS 4.0 CVSS-B Score: 4.8 CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/RE:M/U:Green CWE: CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’) CAPEC: CAPEC-636 Hiding Malicious Data or Code within Files Internal ID: MOB-146, MOB-147 Alternate IDs: EUVD-2025-18379 Date issued: 2025-06-16 Credits: Pasi Orovuo / Solita Oy, Teemu Laakso / Solita Oy
Exploitability
Publicly disclosed: No Exploited: No Probability of exploitation: Low – Responsibly Reported
