Description
Stored XSS in Desktop UI in M-Files Server Admin tool before version 25.3.14681.7 on Windows allows authenticated local user to run scripts via UI
Affected products
M-Files Admin tool before 25.3.14681.7
More information
Exploiting this vulnerability requires local user with either high privileges to the operating system or operating system login credentials being shared with multiple users. CVSS 4.0 CVSS-B Score: 5.1 CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CWE: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) CAPEC: CAPEC-592 Stored XSS Internal ID: ADI-222 Date issued: 2025-04-01 Credits: Pasi Orovuo / Solita Oy, Teemu Laakso / Solita Oy Alternate IDs: EUVD-2025-9688
Exploitability
Publicly disclosed: No Exploited: No Probability of exploitation: low – responsibly reported
