CVE-2025-13008: Session Token Disclosure in M-Files Web

DESCRIPTION

An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.

AFFECTED PRODUCTS

M-Files Server before 25.12.15491.7
M-Files Server before LTS 25.8 SR3 (25.8.15085.18)
M-Files Server before LTS 25.2 SR3 (25.2.14524.14)
M-Files Server before LTS 24.8 SR5 (24.8.13981.17)

MORE INFORMATION

The vulnerability exists in M-Files Web and requires an authenticated attacker. The victim must be actively using M-Files Web and doing specific client operations. An attacker could obtain session tokens of other users to impersonate them and perform actions with their identity and permissions.

CVSS 4.0 Base Score (CVSS-B): 8.6

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

CAPEC: CAPEC-60: Reusing Session IDs (aka Session Replay)

Internal ID: CE-2194

Date issued: 2025-12-19

Alternate IDs: EUVD-2025-204468

EXPLOITABILITY

Publicly disclosed: No
Exploited: No
Probability of exploitation: Low – responsibly reported

LINKS

https://www.cve.org/CVERecord?id=CVE-2025-13008

https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-204468

HISTORY

2025-12-19 Published

Review M-Files on Gartner® Peer Insights™ & get a $25 gift card!

Review now
X