Security Advisories

Detailed information on public vulnerabilities in M-Files products

CVE-2022

CVE IDDATE ISSUEDTITLEPRODUCTS
CVE-2022-48623-6-2023XSS vulnerability in M-Files WebM-Files Web before 22.12.12140.3
CVE-2022-32843-6-2023Insecure Way of Passing a Download KeyM-Files New Web before 22.11.12011.0
CVE-2022-486112-30-2022Incorrect Implementation of Authentication AlgorithmM-Files Client before 22.5.11356.0.
CVE-2022-485812-30-2022Insertion of Sensitive Information into Log FileM-Files Server before 22.10.11846.0.
CVE-2022-426412-09-2022Incorrect Privilege AssignmentM-Files Web Classic version before 22.8.11691.0.
CVE-2022-427012-02-2022Incorrect Privilege AssignmentAll M-Files Web Classic versions before 22.5.11436.1.
All M-Files Web vNext versions before 22.5.11436.1.
CVE-2022-160611-30-2022Incorrect Privilege AssignmentAll M-Files Server versions before 22.3.111.64.0 and before 22.3.11237.1.
CVE-2022-191111-30-2022Information Disclosure in M-Files ServerAll M-Files Server versions before 22.3.111.64.0 and before 22.3.11237.1.
CVE-2022-3602 & CVE-2022-378611-01-2022OpenSSL 3.x Vulnerability and M-FilesM-Files Server/Desktop/Classic Web/VNEXT/Mobile
CVE-2022-3901908-20-2022Lack of authorization check on rendered images from pdftronAll Hubshare versions before 3.3.10.8
CVE-2022-3901808-20-2022Pdftron lack of authorization checkAll Hubshare versions before 3.3.10.8
CVE-2022-3901708-20-2022Cross Site Scripting (XSS) from comment areasAll Hubshare versions before 3.3.10.8
CVE-2022-3901608-20-2022Cross Site Scripting (XSS)All Hubshare versions before 3.3.10.8
CVE-2022-2680904-16-2022Remote Procedure Call Runtime Remote Code Execution Vulnerability and M-FilesM-Files Server/Desktop/Classic Web/VNEXT/Mobile
CVE-2022-2296504-01-2022Spring Framework RCE and M-FilesM-Files Server/Desktop/Classic Web/VNEXT/Mobile

CVE-2021

CVE IDDATE ISSUEDTITLEPRODUCTS
CVE-2021-41809 01-17-2022 SSRF VulnerabilityM-Files Server version before 22.1.11017.1
CVE-2021-4180801-17-2022 Information disclosureM-Files Server version before 21.11.10775.0
CVE-2021-4180701-17-2022Lack of rate-limitingM-Files Server version before 21.12.10873.0
M-Files Web version before 21.12.10873.0
CVE-2021-4422812-14-2021Log4j and M-FilesM-Files Server/Desktop/Classic Web/VNEXT/Mobile
CVE-2021-3725312-03-2021Denial of ServiceM-Files Classic Web
CVE-2021-3725410-27-2021Information Disclosure VulnerabilityM-Files Web
Report vulnerabilities

M-Files takes software vulnerabilities seriously. If you have identified a potential security vulnerability, be in touch.

Security Hall of Fame

M-Files celebrates those who help us identify and correct security vulnerabilities across all M-Files products.