CVE-2023-5523: M-Files Web Companion allows Remote Code Execution

DESCRIPTION:

Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution

AFFECTED PRODUCTS:

M-Files Web Companion before 23.10

M-Files Web Companion before 23.8 LTS SR1

MORE INFORMATION:

The vulnerability requires user interaction to be exploitable.

The vulnerability is fixed in release version 23.10 and in Long Term Service releases 23.8 SR1. Web Companion was not included in Long Term Service release 23.2, so that is not affected.

The vulnerability is in Web Companion and to mitigate this vulnerability it is necessary to update M-Files Server and then Web Companion. Web Companion does not automatically update to the users that have it installed, they need to accept update suggest it when they open M-Files Web after M-Files is updated. If the user does not have Web Companion installed, the vulnerability does not apply even with M-Files Release before 23.10.

CVSS 3.1 Base Score: 8.6

CVSS 3.1 Temporal Score: 7.7

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C

CWE: CWE-829 Inclusion of Functionality from Untrusted Control Sphere

CAPEC: CAPEC-253 Remote Code Inclusion

Internal ID: 168401

Date issued: 2023-10-19

Credits: Anton Keskisaari / Second Nature Security

EXPLOITABILITY

Publicly disclosed: No

Exploited: No

Propability of exploitation: low - responsibly reported

LINKS

https://www.cve.org/CVERecord?id=CVE-2023-5523

HISTORY

2023-10-20 Published