CVSS: 2.6EPSS: 0%CPEs: 1EXPL: 0CVE-2022-4270 – Incorrect privilege assignment in M-Files Web Server
https://notcve.org/view.php?id=CVE-2022-4270
02 Dec 2022 — Incorrect privilege assignment issue in M-Files Web in M-Files Web versions before 22.5.11436.1 could have changed permissions accidentally. Un problema de asignación de privilegios incorrectos en M-Files Web en versiones de M-Files Web anteriores a la 22.5.11436.1 podría haber cambiado los permisos accidentalmente. Incorrect privilege assignment issue in M-Files Web in M-Files Web versions before 22.5.11436.1 could have changed permissions accidentally. • https://www.m-files.com/about/trust-center/security-advisories/cve-2022-4270 • CWE-269: Improper Privilege Management •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1911 – Information disclosure in M-Files Server
https://notcve.org/view.php?id=CVE-2022-1911
30 Nov 2022 — Error in parser function in M-Files Server versions before 22.6.11534.1 and before 22.6.11505.0 allowed unauthenticated access to some information of the underlying operating system. Un error en la función del analizador en las versiones de M-Files Server anteriores a 22.6.11534.1 y anteriores a 22.6.11505.0 permitía el acceso no autenticado a cierta información del sistema operativo subyacente. • https://www.m-files.com/about/trust-center/security-advisories/cve-2022-1911 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1606 – Incorrect privilege assignment in M-Files Server
https://notcve.org/view.php?id=CVE-2022-1606
30 Nov 2022 — Incorrect privilege assignment in M-Files Server versions before 22.3.11164.0 and before 22.3.11237.1 allows user to read unmanaged objects. La asignación de privilegios incorrecta en las versiones de M-Files Server en versiones anteriores a 22.3.11164.0 y versiones anteriores a 22.3.11237.1 permite al usuario leer objetos no administrados. • https://www.m-files.com/about/trust-center/security-advisories/cve-2022-1606 • CWE-269: Improper Privilege Management •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39018 – Broken access controls on PDFtron data in M-Files Hubshare
https://notcve.org/view.php?id=CVE-2022-39018
31 Oct 2022 — Broken access controls on PDFtron data in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to access restricted PDF files via a known URL. Los controles de acceso rotos a los datos de PDFtron en M-Files Hubshare anteriores a 3.3.11.3 permiten a atacantes no autenticados acceder a archivos PDF restringidos a través de una URL conocida. • https://www.themissinglink.com.au/security-advisories/cve-2022-39018 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-287: Improper Authentication CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39019 – Broken access controls on PDFtron WebviewerUI in M-Files Hubshare
https://notcve.org/view.php?id=CVE-2022-39019
31 Oct 2022 — Broken access controls on PDFtron WebviewerUI in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to upload malicious files to the application server. Los controles de acceso rotos en PDFtron WebviewerUI en M-Files Hubshare anterior a 3.3.11.3 permiten a atacantes no autenticados cargar archivos maliciosos al servidor de aplicaciones. • https://www.themissinglink.com.au/security-advisories/cve-2022-39019 • CWE-287: Improper Authentication CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39017 – XSS in all comments fields in M-Files Hubshare
https://notcve.org/view.php?id=CVE-2022-39017
31 Oct 2022 — Improper input validation and output encoding in all comments fields, in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to introduce cross-site scripting attacks via specially crafted comments. La validación de entrada y codificación de salida inadecuadas en todos los campos de comentarios, en M-Files Hubshare anterior a 3.3.10.9, permite a atacantes autenticados introducir ataques de Cross-Site Scripting (XSS) a través de comentarios especialmente manipulados. • https://www.themissinglink.com.au/security-advisories/cve-2022-39017 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-39016 – Javascript injection in PDFtron in M-Files Hubshare
https://notcve.org/view.php?id=CVE-2022-39016
31 Oct 2022 — Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload. La inyección de Javascript en PDFtron en M-Files Hubshare anterior a 3.3.10.9 permite a atacantes autenticados realizar una apropiación de cuenta mediante una carga de PDF manipulada. • https://www.themissinglink.com.au/security-advisories/cve-2022-39016 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.2EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41810 – Script injection in M-Files Server products with versions before 22.2.11051.0, allows executing stored script in admin tool
https://notcve.org/view.php?id=CVE-2021-41810
02 May 2022 — Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is not remotely exploitable La herramienta de administración permite almacenar datos de configuración con un script que puede ser ejecutado por otro administrador de la bóveda. Requiere autenticación a nivel de administrador de la bóveda y no es explotable remotamente • https://www.m-files.com/about/trust-center/security-advisories/cve-2021-41810 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 2.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-41808 – In M-Files Server product with versions before 21.11.10775.0, enabling logging of federated authentication would write sensitive information to event logs.
https://notcve.org/view.php?id=CVE-2021-41808
18 Jan 2022 — In M-Files Server product with versions before 21.11.10775.0, enabling logging of Federated authentication to event log wrote sensitive information to log. Mitigating factors are logging is disabled by default. En el producto M-Files Server con versiones anteriores a 21.11.10775.0, al habilitar el registro de la autenticación federada en el registro de eventos escribía información confidencial en el registro. Los factores atenuantes son que el registro está deshabilitado por fallo • https://www.m-files.com/about/trust-center/security-vulnerabilities/cve-2021-41808 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-41807 – Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0, allows brute-forcing of certain type of user accounts.
https://notcve.org/view.php?id=CVE-2021-41807
18 Jan 2022 — Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier. Una falta de limitación de velocidad en los productos M-Files Server y M-Files Web versiones anteriores a 21.12.10873.0, en determinados tipos de cuentas de usuario permite una cantidad ilimitada de intentos y, por tanto, facilita un ataque de fuerza bruta de las cuentas de inicio de s... • https://www.m-files.com/about/trust-center/security-vulnerabilities/cve-2021-41807 • CWE-307: Improper Restriction of Excessive Authentication Attempts •