CVE-2022-39016 – Javascript injection in PDFtron in M-Files Hubshare
https://notcve.org/view.php?id=CVE-2022-39016
Javascript injection in PDFtron in M-Files Hubshare before 3.3.10.9 allows authenticated attackers to perform an account takeover via a crafted PDF upload. La inyección de Javascript en PDFtron en M-Files Hubshare anterior a 3.3.10.9 permite a atacantes autenticados realizar una apropiación de cuenta mediante una carga de PDF manipulada. • https://www.themissinglink.com.au/security-advisories/cve-2022-39016 • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-41810 – Script injection in M-Files Server products with versions before 22.2.11051.0, allows executing stored script in admin tool
https://notcve.org/view.php?id=CVE-2021-41810
Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is not remotely exploitable La herramienta de administración permite almacenar datos de configuración con un script que puede ser ejecutado por otro administrador de la bóveda. Requiere autenticación a nivel de administrador de la bóveda y no es explotable remotamente • https://www.m-files.com/about/trust-center/security-advisories/cve-2021-41810 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-41808 – In M-Files Server product with versions before 21.11.10775.0, enabling logging of federated authentication would write sensitive information to event logs.
https://notcve.org/view.php?id=CVE-2021-41808
In M-Files Server product with versions before 21.11.10775.0, enabling logging of Federated authentication to event log wrote sensitive information to log. Mitigating factors are logging is disabled by default. En el producto M-Files Server con versiones anteriores a 21.11.10775.0, al habilitar el registro de la autenticación federada en el registro de eventos escribía información confidencial en el registro. Los factores atenuantes son que el registro está deshabilitado por fallo • https://www.m-files.com/about/trust-center/security-vulnerabilities/cve-2021-41808 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2021-41807 – Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0, allows brute-forcing of certain type of user accounts.
https://notcve.org/view.php?id=CVE-2021-41807
Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier. Una falta de limitación de velocidad en los productos M-Files Server y M-Files Web versiones anteriores a 21.12.10873.0, en determinados tipos de cuentas de usuario permite una cantidad ilimitada de intentos y, por tanto, facilita un ataque de fuerza bruta de las cuentas de inicio de sesión • https://www.m-files.com/about/trust-center/security-vulnerabilities/cve-2021-41807 • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVE-2021-41809 – SSRF vulnerability in M-Files Server products with versions before 22.1.11017.1, allows requests from server.
https://notcve.org/view.php?id=CVE-2021-41809
SSRF vulnerability in M-Files Server products with versions before 22.1.11017.1, in a preview function allowed making queries from the server with certain document types referencing external entities. Una vulnerabilidad de tipo SSRF en los productos M-Files Server versiones anteriores a 22.1.11017.1, en una función de vista previa que permitía realizar consultas desde el servidor con determinados tipos de documentos que hacían referencia a entidades externas • https://www.m-files.com/about/trust-center/security-vulnerabilities/cve-2021-41809 • CWE-918: Server-Side Request Forgery (SSRF) •