CVE-2022-3284: Insecure way of passing a download key

DESCRIPTION

Download key for a file in a vault was passed in an insecure way that could easily be logged in M-Files New Web in M-Files before 22.11.12011.0.

AFFECTED PRODUCTS

M-Files New Web before 22.11.12011.0.

MORE INFORMATION

Download key for a file download was passed in a insecure way which makes the file public and accessible by unauthorise party as the key also contains the sessionID.

CVSS 3.1 Score: 6.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

CAPEC: CAPEC-158 Sniffing Network Traffic

Internal ID: 164237

Date issued: 2023-03-06

LINKS

https://www.cve.org/CVERecord?id=CVE-2022-3284

Review M-Files on Gartner® Peer Insights™ & get a $25 gift card!

X