Description
A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource consumption. Authenticated attacker can exhaust server storage space to a point where the server can no longer serve requests.
Affected products
M-Files Server before 23.12.13195.0 M-Files Server before 23.2 LTS SR6 (this service release is not affected) M-Files Server before 23.8 LTS SR4 (this service release is not affected)
More information
Exploiting the vulnerability requires authentication or anonymous authentication to be enabled in an M-Files vault. CVSS 3.1 Base Score: 6.5 CVSS 3.1 Temporal Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CWE: CWE-770 Allocation of Resources Without Limits or Throttling CAPEC: CAPEC-130: Excessive Allocation Internal ID: 167985 Date issued: 2023-12-18
Exploitability
Publicly disclosed: No Exploited: No Propability of exploitation: low – internally found
