CVE-2023-5523: M-Files Web Companion allows Remote Code Execution
Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution
M-Files Web Companion before 23.10
M-Files Web Companion before 23.8 LTS SR1
The vulnerability requires user interaction to be exploitable.
The vulnerability is fixed in release version 23.10 and in Long Term Service releases 23.8 SR1. Web Companion was not included in Long Term Service release 23.2, so that is not affected.
The vulnerability is in Web Companion and to mitigate this vulnerability it is necessary to update M-Files Server and then Web Companion. Web Companion does not automatically update to the users that have it installed, they need to accept update suggest it when they open M-Files Web after M-Files is updated. If the user does not have Web Companion installed, the vulnerability does not apply even with M-Files Release before 23.10.
CVSS 3.1 Base Score: 8.6
CVSS 3.1 Temporal Score: 7.7
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C
CWE: CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CAPEC: CAPEC-253 Remote Code Inclusion
Internal ID: 168401
Date issued: 2023-10-19
Credits: Anton Keskisaari / Second Nature Security
Publicly disclosed: No
Propability of exploitation: low - responsibly reported