M Files Web
CVE-2021-37253
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). NOTE: this is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual web application
AnalysisAI
M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified as HTTP Request/Response Smuggling (CWE-444), which allows attackers to manipulate HTTP request interpretation between frontend and backend servers. M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). NOTE: this is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual web application Affected products include: M-Files M-Files Web. Version information: before 20.10.9524.1.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Enforce strict HTTP parsing, normalize requests at proxy layer, use HTTP/2 end-to-end, reject ambiguous headers.
More in M Files Web
View allIn M-Files Web product with versions before 20.10.9524.1 and 20.10.9445.0, a remote attacker could use a flaw to obtain
Stored XSS in M-Files Web versions from 25.1.14445.5 to 25.2.14524.4 allows an authenticated user to run scripts. Rated
Same weakness CWE-444 – HTTP Request/Response Smuggling
View allSame technique Request Smuggling
View allShare
External POC / Exploit Code
Leaving vuln.today