CVE-2023-4479 – Stored XSS Vulnerability in M-Files Web
https://notcve.org/view.php?id=CVE-2023-4479
Stored XSS Vulnerability in M-Files Web versions before 23.8 allows attacker to execute script on users browser via stored HTML document within limited time period. • https://www.m-files.com/about/trust-center/security-advisories/cve-2023-4479 https://product.m-files.com/security-advisories/cve-2023-4479 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-41807 – Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0, allows brute-forcing of certain type of user accounts.
https://notcve.org/view.php?id=CVE-2021-41807
Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier. Una falta de limitación de velocidad en los productos M-Files Server y M-Files Web versiones anteriores a 21.12.10873.0, en determinados tipos de cuentas de usuario permite una cantidad ilimitada de intentos y, por tanto, facilita un ataque de fuerza bruta de las cuentas de inicio de sesión • https://www.m-files.com/about/trust-center/security-vulnerabilities/cve-2021-41807 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVE-2021-37253 – M-Files Web Denial Of Service
https://notcve.org/view.php?id=CVE-2021-37253
M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). NOTE: this is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual web application ** EN DISPUTA ** M-Files Web antes de la versión 20.10.9524.1 permite una denegación de servicio a través de rangos superpuestos (en peticiones HTTP con cabeceras Range o Request-Range manipuladas). NOTA: esto se cuestiona porque el comportamiento de los rangos es responsabilidad del servidor web, no de la aplicación web individual M-Files Web versions prior to 20.10.9524.1 and M-Files Web versions prior to 20.10.9445.0 contain an improper range header processing vulnerability. A remote unauthenticated attacker may send crafted requests with overlapping ranges (via HTTP requests with a specially-crafted Range or Request-Range headers) to cause the web application to compress each of the requested bytes, resulting in a crash due to excessive memory and CPU consumption and preventing users from accessing the system. • http://packetstormsecurity.com/files/165139/M-Files-Web-Denial-Of-Service.html http://seclists.org/fulldisclosure/2021/Dec/1 https://vulmon.com/vulnerabilitydetails?qid=CVE-2021-37253 https://www.m-files.com/about/trust-center/security-advisories/cve-2021-37253-denial-of-service https://www.m-files.com/company/trust-center/vulnerability-disclosure https://www.tenable.com/cve/CVE-2021-37253 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2021-37254
https://notcve.org/view.php?id=CVE-2021-37254
In M-Files Web product with versions before 20.10.9524.1 and 20.10.9445.0, a remote attacker could use a flaw to obtain unauthenticated access to 3rd party component license key information on server. En el producto M-Files Web con versiones anteriores a 20.10.9524.1 y 20.10.9445.0, un atacante remoto podría usar un fallo para obtener acceso no autenticado a la información de la clave de licencia de componentes de terceros en el servidor • https://www.m-files.com/about/trust-center/security-vulnerabilities/cve-2021-37254 https://www.m-files.com/company/trust-center/vulnerability-disclosure •