Rendering of HTML provided by another authenticated user is possible in browser on M-Files Web before 22.12.12140.3. This allows the content to steal user sensitive information.
M-Files Web before 22.12.12140.3.
Rendering of HTML provided by another authenticated user under the M-Files Web allows stealing of sensitive information. This requires existing authorized access from the attacker and user interaction from the victim.
CVSS 3.1 Score: 5.0
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
CWE: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CAPEC: CAPEC-63 Cross-Site Scripting (XSS)
Internal ID: 163512
Date issued: 2023-03-06