Security Advisories
Detailed information on public vulnerabilities in M-Files products
Additional M-Files security related information available: https://www.m-files.com/about/trust-center/
CVE-2024
CVE ID | DATE ISSUED | TITLE | PRODUCTS |
CVE-2024-9333 | 2024-10-02 | CVE-2024-9333: Permission bypass in M-Files Connector for Copilot | M-Files Connector for Copilot before 24.9.3 |
CVE-2024-9174 | 2024-10-02 | CVE-2024-9174: Stored HTML Injection in Social Module | M-Files Hubshare before 5.0.8.6 |
CVE-2024-6789 | 2024-08-27 | CVE-2024-6789: Path traversal in M-Files API | M-Files Server before 24.8.13981.0 M-Files Server before 24.2 LTS SR2 (24.2.13421.15) |
CVE-2024-6881 | 2024-07-29 | CVE-2024-6881: Stored XSS Vulnerability | M-Files Hubshare before 5.0.6.0 |
CVE-2024-6124 | 2024-07-29 | CVE-2024-6124: Reflected XSS in Hubshare via Open Redirect | M-Files Hubshare before 5.0.6.0 |
CVE-2024-5142 | 2024-04-26 | CVE-2024-5142: XSS Vulnerability in Hubshare | M-Files Hubshare before 3.0.5.8 |
CVE-2024-4056 | 2024-04-26 | CVE-2024-4056: Denial of Service condition in M-Files Server | M-Files Server before 24.4.13592.4 and after 23.11 M-Files Server not affected at 24.2 LTS |
CVE-2024-0563 | 2024-02-23 | CVE-2024-0563: Denial of service condition in M-Files Server | M-Files Server before 24.2 M-Files Server before 23.2 LTS SR7 M-Files Server before 23.8 LTS SR5 |
CVE-2023
CVE ID | DATE ISSUED | TITLE | PRODUCTS |
CVE-2023-4479 | 2024-03-18 | CVE-2023-4479: Stored XSS Vulnerability in M-Files Web | M-Files Web before 23.8 |
CVE-2023-6912 | 2023-12-19 | CVE-2023-6912: Brute force vulnerability in M-Files user authentication | M-Files Server before 23.12.13195.0 |
CVE-2023-6910 | 2023-12-18 | CVE-2023-6239: Incorrect calculation of effective permissions | M-Files Server 23.9 M-Files Server 23.10 M-Files Server 23.11 versions prior to 23.11.13168.7 |
CVE-2023-6239 | 2023-11-28 | CVE-2023-6239: Incorrect calculation of effective permissions | M-Files Server 23.9 M-Files Server 23.10 M-Files Server 23.11 versions prior to 23.11.13168.7 |
CVE-2023-6117 | 2023-11-22 | CVE-2023-6117: M-Files REST API allows Denial of Service | M-Files Server before 23.11.13156.0 |
CVE-2023-6189 | 2023-11-22 | CVE-2023-6189: Elevation of Privilege in M-Files Server | M-Files Server before 23.11.13156.0 |
CVE-2023-2325 | 2023-10-20 | CVE-2023-2325: Stored XSS Vulnerability in M-Files Classic Web | M-Files Server before 23.10 M-Files Server before 23.2 LTS SR4 M-Files Server before 23.8 LTS SR1 |
CVE-2023-5523 | 2023-10-20 | CVE-2023-5523: M-Files Web Companion allows Remote Code Execution | M-Files Web Companion before 23.10 M-Files Web Companion before 23.8 LTS SR1 |
CVE-2023-5524 | 2023-10-20 | CVE-2023-5524: M-Files Web Companion allowed Remote Code Execution for some filetypes | M-Files Web Companion before 23.10 M-Files Web Companion before 23.8 LTS SR1 |
CVE-2023-3425 | 2023-08-25 | CVE-2023-3425: Out-of-Bounds memory read in M-Files Server | M-Files Server before 23.8.12892.6 M-Files Server before 23.2 LTS SR3 |
CVE-2023-3406 | 2023-08-25 | CVE-2023-3406: Path traversal issue in M-Files Classic Web | M-Files Classic Web before 23.6.12695.3 M-Files Classic Web before 23.2 LTS SR3 |
CVE-2023-3405 | 2023-06-28 | CVE-2023-3405: CVE-2023-3405: Denial of service in M-Files Server | M-Files Server before 23.6.12695.3 (excluding 23.2 SR2 and newer) |
CVE-2023-2480 | 2023-05-25 | CVE-2023-2480: Elevation of Privilege in M-Files Desktop Client | M-Files Client before 23.5.12598.0 |
CVE-2023-0383 | 2023-04-20 | CVE-2023-0383: Uncontrolled Resource Consumption in M-Files Server | M-Files Server before 23.4.12528.1 |
CVE-2023-0384 | 2023-04-20 | CVE-2023-0384: Uncontrolled Resource Consumption in M-Files Server | M-Files Server before 23.4.12528.1 |
CVE-2023-2112 | 2023-04-20 | CVE-2023-2112: Desktop Component allows lateral movement between sessions | M-Files Desktop before 23.4.12455.0 |
CVE-2023-0382 | 2023-04-05 | CVE-2023-0382: Uncontrolled Resource Consumption in M-Files Server | M-Files Server before 23.4.12528.1 |
CVE-2023-0213 | 2023-03-29 | CVE-2023-0213: Elevation of Privilege | M-Files version before 22.6. |
CVE-2022
CVE ID | DATE ISSUED | TITLE | PRODUCTS |
CVE-2022-4862 | 2023-03-06 | XSS vulnerability in M-Files Web | M-Files Web before 22.12.12140.3 |
CVE-2022-3284 | 2023-03-06 | Insecure Way of Passing a Download Key | M-Files New Web before 22.11.12011.0 |
CVE-2022-4861 | 2022-12-30 | Incorrect Implementation of Authentication Algorithm | M-Files Client before 22.5.11356.0. |
CVE-2022-4858 | 2022-12-30 | Insertion of Sensitive Information into Log File | M-Files Server before 22.10.11846.0. |
CVE-2022-4264 | 2022-12-09 | Incorrect Privilege Assignment | M-Files Web Classic version before 22.8.11691.0. |
CVE-2022-4270 | 2022-12-02 | Incorrect Privilege Assignment | All M-Files Web Classic versions before 22.5.11436.1. All M-Files Web vNext versions before 22.5.11436.1. |
CVE-2022-1606 | 2022-11-30 | Incorrect Privilege Assignment | All M-Files Server versions before 22.3.111.64.0 and before 22.3.11237.1. |
CVE-2022-1911 | 2022-11-30 | Information Disclosure in M-Files Server | All M-Files Server versions before 22.3.111.64.0 and before 22.3.11237.1. |
CVE-2022-3602 & CVE-2022-3786 | 2022-11-01 | OpenSSL 3.x Vulnerability and M-Files | M-Files Server/Desktop/Classic Web/VNEXT/Mobile |
CVE-2022-39019 | 2022-08-20 | Lack of authorization check on rendered images from pdftron | All Hubshare versions before 3.3.10.8 |
CVE-2022-39018 | 2022-08-20 | Pdftron lack of authorization check | All Hubshare versions before 3.3.10.8 |
CVE-2022-39017 | 2022-08-20 | Cross Site Scripting (XSS) from comment areas | All Hubshare versions before 3.3.10.8 |
CVE-2022-39016 | 2022-08-20 | Cross Site Scripting (XSS) | All Hubshare versions before 3.3.10.8 |
CVE-2022-26809 | 2022-04-16 | Remote Procedure Call Runtime Remote Code Execution Vulnerability and M-Files | M-Files Server/Desktop/Classic Web/VNEXT/Mobile |
CVE-2022-22965 | 2022-04-01 | Spring Framework RCE and M-Files | M-Files Server/Desktop/Classic Web/VNEXT/Mobile |
CVE-2021
CVE ID | DATE ISSUED | TITLE | PRODUCTS |
CVE-2021-41809 | 2022- 01-17 | SSRF Vulnerability | M-Files Server version before 22.1.11017.1 |
CVE-2021-41808 | 2022-01-17 | Information disclosure | M-Files Server version before 21.11.10775.0 |
CVE-2021-41807 | 2022-01-17 | Lack of rate-limiting | M-Files Server version before 21.12.10873.0 M-Files Web version before 21.12.10873.0 |
CVE-2021-44228 | 2021-12-14 | Log4j and M-Files | M-Files Server/Desktop/Classic Web/VNEXT/Mobile |
CVE-2021-37253 | 2021-12-03 | Denial of Service | M-Files Classic Web |
CVE-2021-37254 | 2021-10-27 | Information Disclosure Vulnerability | M-Files Web |