Skip to main content

M Files Server CVE-2024-6789

HIGH
Path Traversal (CWE-22)
2024-08-27 security@m-files.com
8.4
CVSS 4.0 · Vendor: m-files
Share

Severity by source

Vendor (m-files) PRIMARY
8.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Green

Primary rating from Vendor (m-files) · only source for this CVE.

CVSS VectorVendor: m-files

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Green
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
CVE Published
Aug 27, 2024 - 10:15 cve.org
HIGH 8.4

DescriptionCVE.org

A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6 allows authenticated user to read files

AnalysisAI

A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6 allows authenticated user to read files. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. A path traversal issue in API endpoint in M-Files Server before version 24.8.13981.0 and LTS 24.2.13421.15 SR2 and LTS 23.8.12892.0 SR6 allows authenticated user to read files Affected products include: M-Files M-Files Server. Version information: version 24.8.13981.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

CVE-2023-6912 CRITICAL
9.8 Dec 20

Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authe

CVE-2024-10127 CRITICAL
9.2 Nov 20

Authentication bypass condition in LDAP authentication in M-Files server versions before 24.11 supported usage of OpenLD

CVE-2023-6239 HIGH
8.8 Nov 28

Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specif

CVE-2023-2112 HIGH
7.8 Apr 20

Desktop component service allows lateral movement between sessions in M-Files before 23.4.12455.0. Rated high severity (

CVE-2024-4056 HIGH
7.5 Apr 26

Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allow

CVE-2023-6117 HIGH
7.5 Nov 22

A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API me

CVE-2023-3405 HIGH
7.5 Jun 27

Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonym

CVE-2023-0384 HIGH
7.5 Apr 20

User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolle

CVE-2023-0383 HIGH
7.5 Apr 20

User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolle

CVE-2022-4858 HIGH
7.5 Dec 30

Insertion of Sensitive Information into Log Files in M-Files Server before 22.10.11846.0 could allow to obtain sensitive

CVE-2026-0983 HIGH
7.1 May 18

Denial of service in M-Files Server versions prior to 26.5.16015.0, 26.2 LTS, and 25.8 LTS SR3 allows an authenticated r

CVE-2026-0932 MEDIUM
6.9 Apr 01

Blind server-side request forgery in M-Files Server before version 26.3 allows unauthenticated remote attackers to force

Share

CVE-2024-6789 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy