Script injection in M-Files Server products with versions before 22.2.11051.0, allows executing stored script in admin tool
CVE-2021-41810

5.2MEDIUM

Key Information:

Vendor: M-files Corporation
Status: M-files Server
Vendor: CVE Published:; 2 May 2022

🔔 Create M-files Corporation Vulnerability Alert

What is CVE-2021-41810?

Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is not remotely exploitable

Affected Version(s)

M-Files Server M-Files Server < 22.2.11051.0

References

https://www.m-files.com/about/trust-center/security-advis...

x_refsource_MISC

CVSS V3.1

Score:

5.2

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2022
Vulnerability Reserved
Sep 29, 2021