Security Advisories

Detailed information on public vulnerabilities in M-Files products

CVE-2023

CVE ID DATE ISSUED TITLE PRODUCTS
CVE-2023-4479 2024-03-18 CVE-2023-4479: Stored XSS Vulnerability in M-Files Web M-Files Web before 23.8
CVE-2024-0563 2024-02-23 CVE-2024-0563: Denial of service condition in M-Files Server M-Files Server before 24.2

M-Files Server before 23.2 LTS SR7

M-Files Server before 23.8 LTS SR5

CVE-2023-6912  2023-12-19

CVE-2023-6912: Brute force vulnerability in M-Files user authentication

M-Files Server before 23.12.13195.0
CVE-2023-6910  2023-12-18

CVE-2023-6239: Incorrect calculation of effective permissions

M-Files Server 23.9

M-Files Server 23.10

M-Files Server 23.11 versions prior to 23.11.13168.7

CVE-2023-6239  2023-11-28

CVE-2023-6239: Incorrect calculation of effective permissions

M-Files Server 23.9

M-Files Server 23.10

M-Files Server 23.11 versions prior to 23.11.13168.7

CVE-2023-6117  2023-11-22 CVE-2023-6117: M-Files REST API allows Denial of Service M-Files Server before 23.11.13156.0
CVE-2023-6189  2023-11-22 CVE-2023-6189: Elevation of Privilege in M-Files Server M-Files Server before 23.11.13156.0
CVE-2023-2325  2023-10-20 CVE-2023-2325: Stored XSS Vulnerability in M-Files Classic Web M-Files Server before 23.10

M-Files Server before 23.2 LTS SR4 (this service release is not affected)

M-Files Server before 23.8 LTS SR1 (this service release is not affected)

CVE-2023-5523  2023-10-20 CVE-2023-5523: M-Files Web Companion allows Remote Code Execution M-Files Web Companion before 23.10

M-Files Web Companion before 23.8 LTS SR1

CVE-2023-5524  2023-10-20 CVE-2023-5524: M-Files Web Companion allowed Remote Code Execution for some filetypes M-Files Web Companion before 23.10

M-Files Web Companion before 23.8 LTS SR1

CVE-2023-3425  2023-08-25 CVE-2023-3425: Out-of-Bounds memory read in M-Files Server

M-Files Server before 23.8.12892.6

M-Files Server before 23.2 LTS SR3

CVE-2023-3406  2023-08-25 CVE-2023-3406: Path traversal issue in M-Files Classic Web M-Files Classic Web before 23.6.12695.3
M-Files Classic Web before 23.2 LTS SR3
CVE-2023-3405  2023-06-28 CVE-2023-3405: CVE-2023-3405: Denial of service in M-Files Server M-Files Server before 23.6.12695.3 (excluding 23.2 SR2 and newer)
CVE-2023-2480  2023-05-25 CVE-2023-2480: Elevation of Privilege in M-Files Desktop Client M-Files Client before 23.5.12598.0
CVE-2023-0383 2023-04-20 CVE-2023-0383: Uncontrolled Resource Consumption in M-Files Server M-Files Server before 23.4.12528.1
CVE-2023-0384 2023-04-20 CVE-2023-0384: Uncontrolled Resource Consumption in M-Files Server M-Files Server before 23.4.12528.1
CVE-2023-2112 2023-04-20 CVE-2023-2112: Desktop Component allows lateral movement between sessions M-Files Desktop before 23.4.12455.0
CVE-2023-0382 2023-04-05 CVE-2023-0382: Uncontrolled Resource Consumption in M-Files Server M-Files Server before 23.4.12528.1
CVE-2023-0213 2023-03-29 CVE-2023-0213: Elevation of Privilege M-Files version before 22.6.

CVE-2022

CVE ID DATE ISSUED TITLE PRODUCTS
CVE-2022-4862 2023-03-06 XSS vulnerability in M-Files Web M-Files Web before 22.12.12140.3
CVE-2022-3284 2023-03-06 Insecure Way of Passing a Download Key M-Files New Web before 22.11.12011.0
CVE-2022-4861 2022-12-30 Incorrect Implementation of Authentication Algorithm M-Files Client before 22.5.11356.0.
CVE-2022-4858 2022-12-30 Insertion of Sensitive Information into Log File M-Files Server before 22.10.11846.0.
CVE-2022-4264 2022-12-09 Incorrect Privilege Assignment M-Files Web Classic version before 22.8.11691.0.
CVE-2022-4270 2022-12-02 Incorrect Privilege Assignment All M-Files Web Classic versions before 22.5.11436.1.
All M-Files Web vNext versions before 22.5.11436.1.
CVE-2022-1606 2022-11-30 Incorrect Privilege Assignment All M-Files Server versions before 22.3.111.64.0 and before 22.3.11237.1.
CVE-2022-1911 2022-11-30 Information Disclosure in M-Files Server All M-Files Server versions before 22.3.111.64.0 and before 22.3.11237.1.
CVE-2022-3602 & CVE-2022-3786 2022-11-01 OpenSSL 3.x Vulnerability and M-Files M-Files Server/Desktop/Classic Web/VNEXT/Mobile
CVE-2022-39019 2022-08-20 Lack of authorization check on rendered images from pdftron All Hubshare versions before 3.3.10.8
CVE-2022-39018 2022-08-20 Pdftron lack of authorization check All Hubshare versions before 3.3.10.8
CVE-2022-39017 2022-08-20 Cross Site Scripting (XSS) from comment areas All Hubshare versions before 3.3.10.8
CVE-2022-39016 2022-08-20 Cross Site Scripting (XSS) All Hubshare versions before 3.3.10.8
CVE-2022-26809 2022-04-16 Remote Procedure Call Runtime Remote Code Execution Vulnerability and M-Files M-Files Server/Desktop/Classic Web/VNEXT/Mobile
CVE-2022-22965 2022-04-01 Spring Framework RCE and M-Files M-Files Server/Desktop/Classic Web/VNEXT/Mobile

CVE-2021

CVE ID DATE ISSUED TITLE PRODUCTS
CVE-2021-41809 2022- 01-17 SSRF Vulnerability M-Files Server version before 22.1.11017.1
CVE-2021-41808 2022-01-17 Information disclosure M-Files Server version before 21.11.10775.0
CVE-2021-41807 2022-01-17 Lack of rate-limiting M-Files Server version before 21.12.10873.0
M-Files Web version before 21.12.10873.0
CVE-2021-44228 2021-12-14 Log4j and M-Files M-Files Server/Desktop/Classic Web/VNEXT/Mobile
CVE-2021-37253 2021-12-03 Denial of Service M-Files Classic Web
CVE-2021-37254 2021-10-27 Information Disclosure Vulnerability M-Files Web

Report vulnerabilities

M-Files takes software vulnerabilities seriously. If you have identified a potential security vulnerability, be in touch.

HOW TO REPORT VULNERABILITIES

Security Hall of Fame

M-Files celebrates those who help us identify and correct security vulnerabilities across all M-Files products.

VISIT OUR SECURITY HALL OF FAME