CVE-2021-41810: Script injection in M-Files Admin

DESCRIPTION

Script injection in M-Files Admin before 22.2.11051.0, allows execution of stored script content in the admin tool.

AFFECTED PRODUCTS

M-Files Admin before 22.2.11051.0

MORE INFORMATION

M-Files Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is not remotely exploitable.

CWE: CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:L/A:N
CVSS 3.1 Score: 5.2
Internal ID: 160733
Alternate IDs: EUVD-2021-28815

EXPLOITABILITY

Publicly disclosed: No
Exploited: No
Probability of exploitation: Low – internally found

LINKS

https://www.cve.org/CVERecord?id=CVE-2021-41810

HISTORY

2022-05-02 CVE Published
2026-02-23 Advisory updated

Review M-Files on Gartner® Peer Insights™ & get a $25 gift card!

Review now
X