CVE-2022-3284: Insecure way of passing a download key
Download key for a file in a vault was passed in an insecure way that could easily be logged in M-Files New Web in M-Files before 22.11.12011.0.
M-Files New Web before 22.11.12011.0.
Download key for a file download was passed in a insecure way which makes the file public and accessible by unauthorise party as the key also contains the sessionID.
CVSS 3.1 Score: 6.5
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CAPEC: CAPEC-158 Sniffing Network Traffic
Internal ID: 164237
Date issued: 2023-03-06