About
Search
Welcome to M-Files Empower – our new support experience. We'd love to hear what you think!Give feedback
Home/Product information and downloads/Security advisories

CVE-2023-6189 Elevation of Privilege in M-Files Server

2023-11-22

Description

Missing access permissions checks in the M-Files server before 23.11.13156.0 allow attackers to perform data write and export jobs using the M-Files API methods.

Affected products

M-Files Server before 23.11.13156.0

More information

Using the M-Files API method any user can write the log entries and perform the data export jobs that should only be allowed for authenticated users. CVSS 3.1 Base Score: 4.3 CVSS 3.1 Temporal Score: 3.7 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:R CWE: CWE-280 Improper Handling of Insufficient Permissions or Privileges CAPEC: CAPEC-212 Functionality Misuse Internal ID: 167986,167987 Date issued: 2023-11-22

Exploitability

Publicly disclosed: No Exploited: No Probability of exploitation: low – internally found

Links

On this page
Description
Affected products
More information
Exploitability
Links
Popular links
What is enterprise content management?Business process managementCollaboration solutionsSolutions by industryKey capabilities
About M-Files
Contact usSchedule a demoCareersTrust CenterPrivacy policySecurity Hall of Fame
Resources
Customer Support PortalPartner HubDeveloper PortalUser guideM-Files CommunityTerms and conditions