M Files Server
Monthly
M-Files Server before version 26.1.15632.3 can be crashed by authenticated administrators with vault privileges through an unsafe API endpoint, resulting in service disruption. This denial-of-service vulnerability requires high-level privileges and network access, making it a limited-scope threat to organizations running vulnerable versions. No patch is currently available.
Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and before 25.8 LTS SR2 allows an authenticated user to cause the MFserver process to crash. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server.
Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 and before 24.8 LTS SR3 allows a highly privileged attacker to cause denial of service via configuration change. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Denial of service condition in M-Files Server in versions before 25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
M-Files Server before version 26.1.15632.3 can be crashed by authenticated administrators with vault privileges through an unsafe API endpoint, resulting in service disruption. This denial-of-service vulnerability requires high-level privileges and network access, making it a limited-scope threat to organizations running vulnerable versions. No patch is currently available.
Denial-of-service condition in M-Files Server versions before 25.11.15392.1, before 25.2 LTS SR2 and before 25.8 LTS SR2 allows an authenticated user to cause the MFserver process to crash. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A path traversal issue in the API endpoint in M-Files Server before version 25.6.14925.0 allows an authenticated user to read files in the server.
Improper isolation of users in M-Files Server version before 25.3.14549 allows anonymous user to affect other anonymous users views and possibly cause a denial of service. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unexpected server crash in database driver in M-Files Server before 25.1.14445.5 and before 24.8 LTS SR3 allows a highly privileged attacker to cause denial of service via configuration change. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Denial of service condition in M-Files Server in versions before 25.1.14445.5 allows an unauthenticated user to consume computing resources in certain conditions. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unsafe password recovery from configuration in M-Files Server before 25.1 allows a highly privileged user to recover external connector passwords. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.