CVE-2024-9333: Permission bypass in M-Files Connector for Copilot

DESCRIPTION

Permissions bypass in M-Files Connector for Copilot before version 24.9.3 allows authenticated user to access limited amount of documents via incorrect access control list calculation

AFFECTED PRODUCTS

M-Files Connector for Copilot before 24.9.3

MORE INFORMATION

Specific scenarios using metadata based permissions may have allowed accessing data, the user should not have access. To fix the vulnerability, it is required to update to Connector for Copilot to version 24.9.3 or newer.

CVSS 4.0 CVSS-B Score: 5.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N

CWE: CWE-281: Improper Preservation of Permissions

CAPEC: CAPEC-180: Exploiting Incorrectly Configured Access Control Security Levels

Internal ID: 171378

Date issued: 2024-09-25

EXPLOITABILITY

Publicly disclosed: No
Exploited: No
Probability of exploitation: low – internally found

LINKS

https://www.cve.org/CVERecord?id=CVE-2024-9333

HISTORY

2024-10-02 Published