CVE-2021-41807: Lack of rate limiting.
Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0, allows brute-forcing of certain type of user accounts.
* M-Files Server version before 21.12.10873.0
* M-Files Web version before 21.12.10873.0
Lack of rate limiting in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier.
Vulnerability was found by an external security researcher.
M-Files would like to thank Murat Aydemir from Accenture Cyber Security Team (Prague CFC) for bringing this to our attention.