Search

Find a vulnerability

Search criteria

    6 vulnerabilities found for classic_web by m-files

    CVE-2023-2325 (GCVE-0-2023-2325)

    Vulnerability from nvd – Published: 2023-10-20 06:39 – Updated: 2026-02-23 08:40
    VLAI
    Title
    Stored XSS Vulnerability in M-Files Classic Web
    Summary
    Stored XSS Vulnerability in M-Files Classic Web versions before 23.10 and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Impacted products
    Vendor Product Version
    M-Files M-Files Web Affected: 0 , < 23.10 (custom)
    Unaffected: 23.2 LTS SR4
    Unaffected: 23.8 LTS SR1
    Create a notification for this product.
    Date Public
    2023-10-19 12:00
    Credits
    Thomas Riedmaier / Siemens Energy Abian Blome / Siemens Energy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:19:14.651Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-2325/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-2325",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-28T20:06:44.113282Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-28T20:06:58.799Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Web",
              "vendor": "M-Files",
              "versions": [
                {
                  "lessThan": "23.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "23.2 LTS SR4"
                },
                {
                  "status": "unaffected",
                  "version": "23.8 LTS SR1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Thomas Riedmaier / Siemens Energy"
            },
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Abian Blome / Siemens Energy"
            }
          ],
          "datePublic": "2023-10-19T12:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Stored XSS Vulnerability in M-Files Classic Web versions before 23.10\u0026nbsp;a\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003end LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Stored XSS Vulnerability in M-Files Classic Web versions before 23.10\u00a0and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T08:40:56.290Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2023-2325/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2023-2325"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to fixed version"
                }
              ],
              "value": "Update to fixed version"
            }
          ],
          "source": {
            "defect": [
              "167253"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Stored XSS Vulnerability in M-Files Classic Web",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2023-2325",
        "datePublished": "2023-10-20T06:39:44.747Z",
        "dateReserved": "2023-04-27T08:15:36.501Z",
        "dateUpdated": "2026-02-23T08:40:56.290Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-3425 (GCVE-0-2023-3425)

    Vulnerability from nvd – Published: 2023-08-25 08:08 – Updated: 2026-02-23 08:48
    VLAI
    Title
    CVE-2023-3425: Out-of-Bounds memory read
    Summary
    Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Impacted products
    Vendor Product Version
    M-Files M-Files Server Affected: 0 , < 23.8.12892.6 (custom)
    Unaffected: 23.2.12340.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:55:03.431Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3425"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3425",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-28T18:29:38.276025Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-28T18:29:48.168Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files",
              "versions": [
                {
                  "lessThan": "23.8.12892.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "23.2.12340.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory."
                }
              ],
              "value": "Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "None publicly available\u003cbr\u003e"
                }
              ],
              "value": "None publicly available"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-540",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-540: Overread Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T08:48:57.088Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2023-3425/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2023-3425"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to M-Files release versions 23.8 or newer, or update to LTS versions 23.2 SR3 or newer\u003cbr\u003e"
                }
              ],
              "value": "Update to M-Files release versions 23.8 or newer, or update to LTS versions 23.2 SR3 or newer"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "CVE-2023-3425: Out-of-Bounds memory read",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2023-3425",
        "datePublished": "2023-08-25T08:08:05.954Z",
        "dateReserved": "2023-06-27T05:38:34.710Z",
        "dateUpdated": "2026-02-23T08:48:57.088Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-3406 (GCVE-0-2023-3406)

    Vulnerability from nvd – Published: 2023-08-25 08:11 – Updated: 2026-02-23 08:48
    VLAI
    Title
    Path traversal issue in M-Files Classic Web
    Summary
    Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Impacted products
    Vendor Product Version
    M-Files M-Files Web Affected: 0 , < 23.6.12695.3 (custom)
    Unaffected: 23.2.12340.14
    Create a notification for this product.
    Date Public
    2023-08-25 07:05
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:55:03.469Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3406",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-28T18:28:51.404395Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-28T18:29:05.426Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Web",
              "vendor": "M-Files",
              "versions": [
                {
                  "lessThan": "23.6.12695.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "23.2.12340.14"
                }
              ]
            }
          ],
          "datePublic": "2023-08-25T07:05:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server"
                }
              ],
              "value": "Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server"
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "None publicly available"
                }
              ],
              "value": "None publicly available"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T08:48:04.741Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2023-3406/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2023-3406"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to M-Files release versions 23.6 or newer, or update to LTS versions 23.2 SR3 or newer."
                }
              ],
              "value": "Update to M-Files release versions 23.6 or newer, or update to LTS versions 23.2 SR3 or newer."
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Path traversal issue in M-Files Classic Web",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2023-3406",
        "datePublished": "2023-08-25T08:11:46.246Z",
        "dateReserved": "2023-06-26T13:29:10.505Z",
        "dateUpdated": "2026-02-23T08:48:04.741Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-2325 (GCVE-0-2023-2325)

    Vulnerability from cvelistv5 – Published: 2023-10-20 06:39 – Updated: 2026-02-23 08:40
    VLAI
    Title
    Stored XSS Vulnerability in M-Files Classic Web
    Summary
    Stored XSS Vulnerability in M-Files Classic Web versions before 23.10 and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Impacted products
    Vendor Product Version
    M-Files M-Files Web Affected: 0 , < 23.10 (custom)
    Unaffected: 23.2 LTS SR4
    Unaffected: 23.8 LTS SR1
    Create a notification for this product.
    Date Public
    2023-10-19 12:00
    Credits
    Thomas Riedmaier / Siemens Energy Abian Blome / Siemens Energy
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:19:14.651Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-2325/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-2325",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-28T20:06:44.113282Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-28T20:06:58.799Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Web",
              "vendor": "M-Files",
              "versions": [
                {
                  "lessThan": "23.10",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "23.2 LTS SR4"
                },
                {
                  "status": "unaffected",
                  "version": "23.8 LTS SR1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Thomas Riedmaier / Siemens Energy"
            },
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Abian Blome / Siemens Energy"
            }
          ],
          "datePublic": "2023-10-19T12:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Stored XSS Vulnerability in M-Files Classic Web versions before 23.10\u0026nbsp;a\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003end LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
                }
              ],
              "value": "Stored XSS Vulnerability in M-Files Classic Web versions before 23.10\u00a0and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-592",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-592 Stored XSS"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T08:40:56.290Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2023-2325/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2023-2325"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to fixed version"
                }
              ],
              "value": "Update to fixed version"
            }
          ],
          "source": {
            "defect": [
              "167253"
            ],
            "discovery": "EXTERNAL"
          },
          "title": "Stored XSS Vulnerability in M-Files Classic Web",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2023-2325",
        "datePublished": "2023-10-20T06:39:44.747Z",
        "dateReserved": "2023-04-27T08:15:36.501Z",
        "dateUpdated": "2026-02-23T08:40:56.290Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-3406 (GCVE-0-2023-3406)

    Vulnerability from cvelistv5 – Published: 2023-08-25 08:11 – Updated: 2026-02-23 08:48
    VLAI
    Title
    Path traversal issue in M-Files Classic Web
    Summary
    Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Impacted products
    Vendor Product Version
    M-Files M-Files Web Affected: 0 , < 23.6.12695.3 (custom)
    Unaffected: 23.2.12340.14
    Create a notification for this product.
    Date Public
    2023-08-25 07:05
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:55:03.469Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3406",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-28T18:28:51.404395Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-28T18:29:05.426Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Web",
              "vendor": "M-Files",
              "versions": [
                {
                  "lessThan": "23.6.12695.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "23.2.12340.14"
                }
              ]
            }
          ],
          "datePublic": "2023-08-25T07:05:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server"
                }
              ],
              "value": "Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server"
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "None publicly available"
                }
              ],
              "value": "None publicly available"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-126",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-126 Path Traversal"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.7,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "LOW",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-22",
                  "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T08:48:04.741Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2023-3406/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2023-3406"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to M-Files release versions 23.6 or newer, or update to LTS versions 23.2 SR3 or newer."
                }
              ],
              "value": "Update to M-Files release versions 23.6 or newer, or update to LTS versions 23.2 SR3 or newer."
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "Path traversal issue in M-Files Classic Web",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2023-3406",
        "datePublished": "2023-08-25T08:11:46.246Z",
        "dateReserved": "2023-06-26T13:29:10.505Z",
        "dateUpdated": "2026-02-23T08:48:04.741Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-3425 (GCVE-0-2023-3425)

    Vulnerability from cvelistv5 – Published: 2023-08-25 08:08 – Updated: 2026-02-23 08:48
    VLAI
    Title
    CVE-2023-3425: Out-of-Bounds memory read
    Summary
    Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Impacted products
    Vendor Product Version
    M-Files M-Files Server Affected: 0 , < 23.8.12892.6 (custom)
    Unaffected: 23.2.12340.14
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T06:55:03.431Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3425"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-3425",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-08-28T18:29:38.276025Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-28T18:29:48.168Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "M-Files Server",
              "vendor": "M-Files",
              "versions": [
                {
                  "lessThan": "23.8.12892.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "custom"
                },
                {
                  "status": "unaffected",
                  "version": "23.2.12340.14"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory."
                }
              ],
              "value": "Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from memory."
            }
          ],
          "exploits": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "None publicly available\u003cbr\u003e"
                }
              ],
              "value": "None publicly available"
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-540",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-540: Overread Buffers"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "LOW",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-125",
                  "description": "CWE-125: Out-of-bounds Read",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-02-23T08:48:57.088Z",
            "orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
            "shortName": "M-Files Corporation"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://product.m-files.com/security-advisories/cve-2023-3425/"
            },
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://empower.m-files.com/security-advisories/CVE-2023-3425"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to M-Files release versions 23.8 or newer, or update to LTS versions 23.2 SR3 or newer\u003cbr\u003e"
                }
              ],
              "value": "Update to M-Files release versions 23.8 or newer, or update to LTS versions 23.2 SR3 or newer"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "CVE-2023-3425: Out-of-Bounds memory read",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
        "assignerShortName": "M-Files Corporation",
        "cveId": "CVE-2023-3425",
        "datePublished": "2023-08-25T08:08:05.954Z",
        "dateReserved": "2023-06-27T05:38:34.710Z",
        "dateUpdated": "2026-02-23T08:48:57.088Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }