Missing access permissions checks in M-Files Client before 23.5.12598.0 allows elevation of privilege via UI extension applications.
M-Files Client before 23.5.12598.0
Successfull exploit of the vulnerability requires complex user interaction by first getting user to create a connection to external vault controlled by the attacker and then separately accepting application from it.
CVSS 3.1 Score: 7.5
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-280 Improper Handling of Insufficient Permissions or Privileges
CAPEC: CAPEC-212 Functionality Misuse
Internal ID: 161636
Date issued: 2023-05-25