About
Search
Welcome to M-Files Empower – our new support experience. We'd love to hear what you think!Give feedback
Home/Product information and downloads/Security advisories

CVE-2021-41810 Script injection in M-Files Admin

2022-05-02

Description

Script injection in M-Files Admin before 22.2.11051.0, allows execution of stored script content in the admin tool.

Affected products

M-Files Admin before 22.2.11051.0

More information

M-Files Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is not remotely exploitable. CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N CVSS 3.1 Score: 5.2 Internal ID: 160733

Exploitability

Publicly disclosed: No Exploited: No Probability of exploitation: Low - internally found

Links

History

2022-05-02 CVE Published 2026-02-23 Advisory updated

On this page
Description
Affected products
More information
Exploitability
Links
History
Popular links
What is enterprise content management?Business process managementCollaboration solutionsSolutions by industryKey capabilities
About M-Files
Contact usSchedule a demoCareersTrust CenterPrivacy policySecurity Hall of Fame
Resources
Customer Support PortalPartner HubDeveloper PortalUser guideM-Files CommunityTerms and conditions