CVE-2023-0213: Elevation of Privilege
M-Files version before 22.6.
User with a local access to Windows with installed M-Files Desktop or Admin tools could gain SYSTEM privileges.
This vulnerability does not grant any additional access or privileges to the document vault or M-Files Server. The threat is towards the user’s local Windows operating system only and possible lateral movement with additional operating system privileges.
Malicious entity needs to be authenticated and logged-in to Windows to be able to use this vulnerability.
CVSS 3.1 Score: 8.8
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-427: Uncontrolled Search Path Element
CAPEC: CAPEC-471: Search Order Hijacking
Internal ID: None
Date issued: 2023-03-29
Credits: Alexander Staalgaard / Banshie
2023-04-01 Additional information added