CVE-2023-0213: Elevation of Privilege

AFFECTED PRODUCTS:

M-Files version before 22.6.

MORE INFORMATION:

User with a local access to Windows with installed M-Files Desktop or Admin tools could gain SYSTEM privileges.

This vulnerability does not grant any additional access or privileges to the document vault or M-Files Server. The threat is towards the user’s local Windows operating system only and possible lateral movement with additional operating system privileges.

Malicious entity needs to be authenticated and logged-in to Windows to be able to use this vulnerability.

CVSS 3.1 Score: 8.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-427: Uncontrolled Search Path Element
CAPEC: CAPEC-471: Search Order Hijacking

Internal ID: None

Date issued: 2023-03-29

Credits: Alexander Staalgaard / Banshie

LINKS

https://www.cve.org/CVERecord?id=CVE-2023-0213

HISTORY

2023-03-29 Published
2023-04-01 Additional information added