CVE-2023-5524: M-Files Web Companion allowed Remote Code Execution for some filetypes
Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution via specific file types
M-Files Web Companion before 23.10
M-Files Web Companion before 23.8 LTS SR1
The vulnerability requires user interaction to be exploitable and it also requires the attacker to have access to a vault to update malicious file into the vault.
The vulnerability is fixed in release version 23.10 and in Long Term Service releases 23.8 SR1. These versions have already been installed in our cloud environments as usual and the downloads for on-premise customers are available. Web Companion was not included in Long Term Service release 23.2, so that is not affected.
The vulnerability is in Web Companion and to mitigate this vulnerability it is necessary to update M-Files Server and then Web Companion. Web Companion does not automatically update to the users that have it installed, they need to accept update suggest it when they open M-Files Web after M-Files is updated. If the user does not have Web Companion installed, the vulnerability does not apply even with M-Files Release before 23.10.
CVSS 3.1 Base Score: 8.2
CVSS 3.1 Temporal Score: 7.1
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-434 Unrestricted Upload of File with Dangerous Type
CAPEC: CAPEC-253 Remote Code Inclusion
Internal ID: 168541
Date issued: 2023-10-20
Credits: Anton Keskisaari / Second Nature Security
Publicly disclosed: No
Probability of exploitation: low - responsibly reported