Vulnerability Details : CVE-2023-2480
Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications
Vulnerability category: Gain privilege
Products affected by CVE-2023-2480
- cpe:2.3:a:m-files:m-files:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-2480
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 16 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-2480
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |
0.8
|
6.0
|
M-Files Corporation |
CWE ids for CVE-2023-2480
-
The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.Assigned by: security@m-files.com (Secondary)
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-2480
-
https://product.m-files.com/security-advisories/cve-2023-2480/
CVE-2023-2480 – M-Files Product Center
-
https://www.m-files.com/about/trust-center/security-advisories/cve-2023-2480/
CVE-2023-2480: Elevation of Privilege in M-Files Desktop Client | M-FilesVendor Advisory
Jump to