CVE-2021-37254: Information Disclosure Vulnerability

DESCRIPTION:

In M-Files Web product with versions before 20.10.9524.1 and 20.10.9445.0, a remote attacker could use a flaw to obtain unauthenticated access to 3rd party component license key information on server.

Risk level: Low

Fix: Upgrade to version 20.10.9524.1 or 20.10.9445.0 or later.

AFFECTED PRODUCTS:

* M-Files Web version before 20.10.9524.1
* M-Files Web version before 20.10.9445.0

MORE INFORMATION:

M-Files Web revealed 3rd party license key. This vulnerability does not have impact on customer data.

ACKNOWLEDGEMENT

We thank Murat Aydemir from Cyberwise (Turkey) for responsible disclosure.

---

Date issued: 2021-10-27