CVE-2022-1911 – Information disclosure in M-Files Server
https://notcve.org/view.php?id=CVE-2022-1911
Error in parser function in M-Files Server versions before 22.6.11534.1 and before 22.6.11505.0 allowed unauthenticated access to some information of the underlying operating system. Un error en la función del analizador en las versiones de M-Files Server anteriores a 22.6.11534.1 y anteriores a 22.6.11505.0 permitía el acceso no autenticado a cierta información del sistema operativo subyacente. • https://www.m-files.com/about/trust-center/security-advisories/cve-2022-1911 https://product.m-files.com/security-advisories/cve-2022-1911 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-668: Exposure of Resource to Wrong Sphere •
CVE-2022-1606 – Incorrect privilege assignment in M-Files Server
https://notcve.org/view.php?id=CVE-2022-1606
Incorrect privilege assignment in M-Files Server versions before 22.3.11164.0 and before 22.3.11237.1 allows user to read unmanaged objects. La asignación de privilegios incorrecta en las versiones de M-Files Server en versiones anteriores a 22.3.11164.0 y versiones anteriores a 22.3.11237.1 permite al usuario leer objetos no administrados. • https://www.m-files.com/about/trust-center/security-advisories/cve-2022-1606 https://product.m-files.com/security-advisories/cve-2022-1606 • CWE-269: Improper Privilege Management •
CVE-2022-39018 – Broken access controls on PDFtron data in M-Files Hubshare
https://notcve.org/view.php?id=CVE-2022-39018
Broken access controls on PDFtron data in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to access restricted PDF files via a known URL. Los controles de acceso rotos a los datos de PDFtron en M-Files Hubshare anteriores a 3.3.11.3 permiten a atacantes no autenticados acceder a archivos PDF restringidos a través de una URL conocida. • https://www.themissinglink.com.au/security-advisories/cve-2022-39018 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-287: Improper Authentication CWE-639: Authorization Bypass Through User-Controlled Key •
CVE-2022-39019 – Broken access controls on PDFtron WebviewerUI in M-Files Hubshare
https://notcve.org/view.php?id=CVE-2022-39019
Broken access controls on PDFtron WebviewerUI in M-Files Hubshare before 3.3.11.3 allows unauthenticated attackers to upload malicious files to the application server. Los controles de acceso rotos en PDFtron WebviewerUI en M-Files Hubshare anterior a 3.3.11.3 permiten a atacantes no autenticados cargar archivos maliciosos al servidor de aplicaciones. • https://www.themissinglink.com.au/security-advisories/cve-2022-39019 • CWE-287: Improper Authentication CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2022-39017 – XSS in all comments fields in M-Files Hubshare
https://notcve.org/view.php?id=CVE-2022-39017
Improper input validation and output encoding in all comments fields, in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to introduce cross-site scripting attacks via specially crafted comments. La validación de entrada y codificación de salida inadecuadas en todos los campos de comentarios, en M-Files Hubshare anterior a 3.3.10.9, permite a atacantes autenticados introducir ataques de Cross-Site Scripting (XSS) a través de comentarios especialmente manipulados. • https://www.themissinglink.com.au/security-advisories/cve-2022-39017 • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •