Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0, allows brute-forcing of certain type of user accounts.
* M-Files Server version before 21.12.10873.0
* M-Files Web version before 21.12.10873.0
Lack of rate limiting in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier.
Vulnerability was found by an external security researcher.
“M-Files would like to thank Murat Aydemir from Accenture Cyber Security Team (Prague CFC) for bringing this to our attention.”
CWE: CWE-307
CVSS 3.1 Score: 7.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Date issued: 2022-01-17