CVE-2021-41807: Lack of rate limiting.

DESCRIPTION:

Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0, allows brute-forcing of certain type of user accounts.

AFFECTED PRODUCTS:

* M-Files Server version before 21.12.10873.0
* M-Files Web version before 21.12.10873.0

MORE INFORMATION:

Lack of rate limiting in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier.

Vulnerability was found by an external security researcher.

M-Files would like to thank Murat Aydemir from Accenture Cyber Security Team (Prague CFC) for bringing this to our attention.

CWE: CWE-307