CVE-2023-6189: Elevation of Privilege in M-Files Server

DESCRIPTION:

Missing access permissions checks in the M-Files server before 23.11.13156.0 allow attackers to perform data write and export jobs using the M-Files API methods.

AFFECTED PRODUCTS:

M-Files Server before 23.11.13156.0

MORE INFORMATION:

Using the M-Files API method any user can write the log entries and perform the data export jobs that should only be allowed for authenticated users.

CVSS 3.1 Base Score: 4.3

CVSS 3.1 Temporal Score: 3.7

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:R

CWE: CWE-280 Improper Handling of Insufficient Permissions or Privileges

CAPEC: CAPEC-212 Functionality Misuse

Internal ID: 167986,167987

Date issued: 2023-11-22

EXPLOITABILITY

Publicly disclosed: No

Exploited: No

Probability of exploitation: low - internally found

LINKS

https://www.cve.org/CVERecord?id=CVE-2023-6189

HISTORY

2023-11-22 Published