CVE-2025-2159: Stored XSS in M-Files Admin user interface

DESCRIPTION

Stored XSS in Desktop UI in M-Files Server Admin tool before version 25.3.14681.7 on Windows allows authenticated local user to run scripts via UI

AFFECTED PRODUCTS

M-Files Admin tool before 25.3.14681.7

MORE INFORMATION

Exploiting this vulnerability requires local user with either high privileges to the operating system or operating system login credentials being shared with multiple users.

CVSS 4.0 CVSS-B Score: 5.1

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’)

CAPEC: CAPEC-592 Stored XSS

Internal ID: ADI-222

Date issued: 2025-04-01

Credits: Pasi Orovuo / Solita Oy, Teemu Laakso / Solita Oy

EXPLOITABILITY

Publicly disclosed: No
Exploited: No
Probability of exploitation: low – responsibly reported

LINKS

https://www.cve.org/CVERecord?id=CVE-2025-2159

HISTORY

2025-04-03 Published

Review M-Files on Gartner® Peer Insights™ & get a $25 gift card!

Review now
X