CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10126 – Local file inclusion vulnerability in M-Files Server
https://notcve.org/view.php?id=CVE-2024-10126
Local File Inclusion vulnerability in M-Files Server in versions before 24.11 (excluding 24.8 SR1, 24.2 SR3 and 23.8 SR7) allows an authenticated user to read server local files of a limited set of filetypes via document preview. La vulnerabilidad de inclusión de archivos locales en M-Files Server en versiones anteriores a 24.11 (excluyendo 24.8 SR1, 24.2 SR3 y 23.8 SR7) permite que un usuario autenticado lea archivos locales del servidor de un conjunto limitado de tipos de archivos a través de la vista previa del documento. • https://product.m-files.com/security-advisories/CVE-2024-10126 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 9.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10127 – Support for authentication bypass condition in M-Files LDAP authentication
https://notcve.org/view.php?id=CVE-2024-10127
Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLDAP configurations that allowed user authentication without a password when the LDAP server itself had the vulnerable configuration. La condición de omisión de autenticación en la autenticación LDAP en las versiones del servidor M-Files anteriores a la 24.11 admitía el uso de configuraciones de OpenLDAP que permitían la autenticación de usuarios sin contraseña cuando el propio servidor LDAP tenía la configuración vulnerable. • https://product.m-files.com/security-advisories/CVE-2024-10127 • CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11176 – Incorrect calculation of effective permissions in M-Files Aino
https://notcve.org/view.php?id=CVE-2024-11176
Improper access control vulnerability in M-Files Aino in versions before 24.10 allowed an authenticated user to access object information via incorrect calculation of effective permissions. Una vulnerabilidad de control de acceso inadecuado en M-Files Aino en versiones anteriores a 24.10 permitía a un usuario autenticado acceder a la información del objeto mediante un cálculo incorrecto de permisos efectivos. • https://product.m-files.com/security-advisories/CVE-2024-11176 • CWE-682: Incorrect Calculation CWE-732: Incorrect Permission Assignment for Critical Resource CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9333 – Permission bypass in M-Files Connector for Copilot
https://notcve.org/view.php?id=CVE-2024-9333
Permissions bypass in M-Files Connector for Copilot before version 24.9.3 allows authenticated user to access limited amount of documents via incorrect access control list calculation • https://product.m-files.com/security-advisories/cve-2024-9333 • CWE-281: Improper Preservation of Permissions •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9174 – Stored HTML Injection in Hubshare social module
https://notcve.org/view.php?id=CVE-2024-9174
Stored HTML Injection in Social Module in M-Files Hubshare before version 5.0.8.6 allows authenticated user to spoof UI • https://product.m-files.com/security-advisories/cve-2024-9174 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •