CVE-2025-3086: User in anonymous role could create and delete views

DESCRIPTION

Improper isolation of users in M-Files Server version before 25.3.14549 on Windows allows anonymous user to affect other anonymous users views

AFFECTED PRODUCTS

M-Files Server before 25.3.14549

MORE INFORMATION

Anonymous user access is disabled by default. However, if enabled, any anonymous user could create and delete views. Issue only affected anonymous users, not authenticated users. This problem could allow denial of service of some level to the server.

CVSS 4.0 CVSS-B Score: 6.3

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

CWE: CWE-653: Improper Isolation or Compartmentalization

CAPEC: CAPEC-130 Excessive Allocation

Internal ID: CLOSS-537

Date issued: 2025-04-01

EXPLOITABILITY

Publicly disclosed: No
Exploited: No
Probability of exploitation: low – internally found

LINKS

https://www.cve.org/CVERecord?id=CVE-2025-3086

HISTORY

2025-04-03 Published

Review M-Files on Gartner® Peer Insights™ & get a $25 gift card!

Review now
X