CVE-2023-6189 - OpenCVE

Missing access permissions checks in the M-Files server before 23.11.13156.0 allow attackers to perform data write and export jobs using the M-Files API methods.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
M-files	M-files Server

Configuration 1 [-]

cpe:2.3:a:m-files:m-files_server:*:*:*:*:*:*:*:*

References

Link	Resource
https://https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6189/	Broken Link

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: M-Files Corporation

Published: 2023-11-22T09:56:44.563Z

Updated: 2023-11-22T09:56:44.563Z

Reserved: 2023-11-17T13:00:28.506Z

Link: CVE-2023-6189

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-11-22T10:15:09.530

Modified: 2023-11-30T04:58:23.543

Link: CVE-2023-6189

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-6189", "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "state": "PUBLISHED", "assignerShortName": "M-Files Corporation", "dateReserved": "2023-11-17T13:00:28.506Z", "datePublished": "2023-11-22T09:56:44.563Z", "dateUpdated": "2023-11-22T09:56:44.563Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "M-Files Server", "vendor": "M-Files", "versions": [{"lessThan": "23.11.13156.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "datePublic": "2023-11-22T08:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(252, 252, 252);\">Missing access permissions checks</span>\n\n in the <span style=\"background-color: rgb(255, 255, 255);\">M-Files server</span> before 23.11.13156.0 allow attackers to perform data write and export\n\njobs using the<span style=\"background-color: rgb(255, 255, 255);\"> M-Files </span><span style=\"background-color: rgb(255, 255, 255);\">API methods.</span>"}], "value": "\nMissing access permissions checks\n\n in\u00a0the M-Files server\u00a0before 23.11.13156.0 allow attackers to perform data write and export\n\njobs using the\u00a0M-Files API methods."}], "impacts": [{"capecId": "CAPEC-212", "descriptions": [{"lang": "en", "value": "CAPEC-212 Functionality Misuse"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-280", "description": "CWE-280 Improper Handling of Insufficient Permissions or Privileges", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "shortName": "M-Files Corporation", "dateUpdated": "2023-11-22T09:56:44.563Z"}, "references": [{"url": "https://https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6189/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\nUpdate to the patched version.\n\n<br>"}], "value": "\nUpdate to the patched version.\n\n\n"}], "source": {"discovery": "INTERNAL"}, "title": "Improper Permission Handling in M-Files Server", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:m-files:m-files_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "50EE795A-16AD-4E6D-86CD-9F0A7DEB2FCF", "versionEndExcluding": "23.11.13156.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "\nMissing access permissions checks\n\n in\u00a0the M-Files server\u00a0before 23.11.13156.0 allow attackers to perform data write and export\n\njobs using the\u00a0M-Files API methods."}, {"lang": "es", "value": "Las comprobaciones de permisos de acceso faltantes en el servidor M-Files anteriores a 23.11.13156.0 permiten a los atacantes realizar trabajos de escritura y exportaci\u00f3n de datos utilizando los m\u00e9todos API de M-Files."}], "id": "CVE-2023-6189", "lastModified": "2023-11-30T04:58:23.543", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@m-files.com", "type": "Secondary"}]}, "published": "2023-11-22T10:15:09.530", "references": [{"source": "security@m-files.com", "tags": ["Broken Link"], "url": "https://https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6189/"}], "sourceIdentifier": "security@m-files.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-280"}], "source": "security@m-files.com", "type": "Secondary"}]}