Security Advisories

Detailed information on public vulnerabilities in M-Files products

Additional M-Files security related information available: https://www.m-files.com/about/trust-center/

CVE-2024

CVE IDDATE ISSUEDTITLEPRODUCTS
CVE-2024-93332024-10-02CVE-2024-9333: Permission bypass in M-Files Connector for CopilotM-Files Connector for Copilot before 24.9.3
CVE-2024-91742024-10-02CVE-2024-9174: Stored HTML Injection in Social ModuleM-Files Hubshare before 5.0.8.6
CVE-2024-67892024-08-27CVE-2024-6789: Path traversal in M-Files APIM-Files Server before 24.8.13981.0
M-Files Server before 24.2 LTS SR2 (24.2.13421.15)
CVE-2024-68812024-07-29CVE-2024-6881: Stored XSS VulnerabilityM-Files Hubshare before 5.0.6.0
CVE-2024-61242024-07-29CVE-2024-6124: Reflected XSS in Hubshare via Open RedirectM-Files Hubshare before 5.0.6.0
CVE-2024-51422024-04-26CVE-2024-5142: XSS Vulnerability in HubshareM-Files Hubshare before 3.0.5.8
CVE-2024-40562024-04-26CVE-2024-4056: Denial of Service condition in M-Files ServerM-Files Server before 24.4.13592.4 and after 23.11
M-Files Server not affected at 24.2 LTS
CVE-2024-05632024-02-23CVE-2024-0563: Denial of service condition in M-Files ServerM-Files Server before 24.2
M-Files Server before 23.2 LTS SR7
M-Files Server before 23.8 LTS SR5

CVE-2023

CVE IDDATE ISSUEDTITLEPRODUCTS
CVE-2023-44792024-03-18CVE-2023-4479: Stored XSS Vulnerability in M-Files WebM-Files Web before 23.8
CVE-2023-6912 2023-12-19CVE-2023-6912: Brute force vulnerability in M-Files user authenticationM-Files Server before 23.12.13195.0
CVE-2023-6910 2023-12-18CVE-2023-6239: Incorrect calculation of effective permissionsM-Files Server 23.9
M-Files Server 23.10
M-Files Server 23.11 versions prior to 23.11.13168.7
CVE-2023-6239 2023-11-28CVE-2023-6239: Incorrect calculation of effective permissionsM-Files Server 23.9
M-Files Server 23.10
M-Files Server 23.11 versions prior to 23.11.13168.7
CVE-2023-6117 2023-11-22CVE-2023-6117: M-Files REST API allows Denial of ServiceM-Files Server before 23.11.13156.0
CVE-2023-6189 2023-11-22CVE-2023-6189: Elevation of Privilege in M-Files ServerM-Files Server before 23.11.13156.0
CVE-2023-2325 2023-10-20CVE-2023-2325: Stored XSS Vulnerability in M-Files Classic WebM-Files Server before 23.10
M-Files Server before 23.2 LTS SR4
M-Files Server before 23.8 LTS SR1
CVE-2023-5523 2023-10-20CVE-2023-5523: M-Files Web Companion allows Remote Code ExecutionM-Files Web Companion before 23.10
M-Files Web Companion before 23.8 LTS SR1
CVE-2023-5524 2023-10-20CVE-2023-5524: M-Files Web Companion allowed Remote Code Execution for some filetypesM-Files Web Companion before 23.10
M-Files Web Companion before 23.8 LTS SR1
CVE-2023-3425 2023-08-25CVE-2023-3425: Out-of-Bounds memory read in M-Files ServerM-Files Server before 23.8.12892.6
M-Files Server before 23.2 LTS SR3
CVE-2023-3406 2023-08-25CVE-2023-3406: Path traversal issue in M-Files Classic WebM-Files Classic Web before 23.6.12695.3
M-Files Classic Web before 23.2 LTS SR3
CVE-2023-3405 2023-06-28CVE-2023-3405: CVE-2023-3405: Denial of service in M-Files ServerM-Files Server before 23.6.12695.3 (excluding 23.2 SR2 and newer)
CVE-2023-2480 2023-05-25CVE-2023-2480: Elevation of Privilege in M-Files Desktop ClientM-Files Client before 23.5.12598.0
CVE-2023-03832023-04-20CVE-2023-0383: Uncontrolled Resource Consumption in M-Files ServerM-Files Server before 23.4.12528.1
CVE-2023-03842023-04-20CVE-2023-0384: Uncontrolled Resource Consumption in M-Files ServerM-Files Server before 23.4.12528.1
CVE-2023-21122023-04-20CVE-2023-2112: Desktop Component allows lateral movement between sessionsM-Files Desktop before 23.4.12455.0
CVE-2023-03822023-04-05CVE-2023-0382: Uncontrolled Resource Consumption in M-Files ServerM-Files Server before 23.4.12528.1
CVE-2023-02132023-03-29CVE-2023-0213: Elevation of PrivilegeM-Files version before 22.6.

CVE-2022

CVE IDDATE ISSUEDTITLEPRODUCTS
CVE-2022-48622023-03-06XSS vulnerability in M-Files WebM-Files Web before 22.12.12140.3
CVE-2022-32842023-03-06Insecure Way of Passing a Download KeyM-Files New Web before 22.11.12011.0
CVE-2022-48612022-12-30Incorrect Implementation of Authentication AlgorithmM-Files Client before 22.5.11356.0.
CVE-2022-48582022-12-30Insertion of Sensitive Information into Log FileM-Files Server before 22.10.11846.0.
CVE-2022-42642022-12-09Incorrect Privilege AssignmentM-Files Web Classic version before 22.8.11691.0.
CVE-2022-42702022-12-02Incorrect Privilege AssignmentAll M-Files Web Classic versions before 22.5.11436.1.
All M-Files Web vNext versions before 22.5.11436.1.
CVE-2022-16062022-11-30Incorrect Privilege AssignmentAll M-Files Server versions before 22.3.111.64.0 and before 22.3.11237.1.
CVE-2022-19112022-11-30Information Disclosure in M-Files ServerAll M-Files Server versions before 22.3.111.64.0 and before 22.3.11237.1.
CVE-2022-3602 & CVE-2022-37862022-11-01OpenSSL 3.x Vulnerability and M-FilesM-Files Server/Desktop/Classic Web/VNEXT/Mobile
CVE-2022-390192022-08-20Lack of authorization check on rendered images from pdftronAll Hubshare versions before 3.3.10.8
CVE-2022-390182022-08-20Pdftron lack of authorization checkAll Hubshare versions before 3.3.10.8
CVE-2022-390172022-08-20Cross Site Scripting (XSS) from comment areasAll Hubshare versions before 3.3.10.8
CVE-2022-390162022-08-20Cross Site Scripting (XSS)All Hubshare versions before 3.3.10.8
CVE-2022-268092022-04-16Remote Procedure Call Runtime Remote Code Execution Vulnerability and M-FilesM-Files Server/Desktop/Classic Web/VNEXT/Mobile
CVE-2022-229652022-04-01Spring Framework RCE and M-FilesM-Files Server/Desktop/Classic Web/VNEXT/Mobile

CVE-2021

CVE IDDATE ISSUEDTITLEPRODUCTS
CVE-2021-418092022- 01-17SSRF VulnerabilityM-Files Server version before 22.1.11017.1
CVE-2021-418082022-01-17Information disclosureM-Files Server version before 21.11.10775.0
CVE-2021-418072022-01-17Lack of rate-limitingM-Files Server version before 21.12.10873.0
M-Files Web version before 21.12.10873.0
CVE-2021-442282021-12-14Log4j and M-FilesM-Files Server/Desktop/Classic Web/VNEXT/Mobile
CVE-2021-372532021-12-03Denial of ServiceM-Files Classic Web
CVE-2021-372542021-10-27Information Disclosure VulnerabilityM-Files Web