CVE-2023-2480: Elevation of Privilege in M-Files Desktop Client

DESCRIPTION:

Missing access permissions checks in M-Files Client before 23.5.12598.0 allows elevation of privilege via UI extension applications.

AFFECTED PRODUCTS:

M-Files Client before 23.5.12598.0

MORE INFORMATION:

Successfull exploit of the vulnerability requires complex user interaction by first getting user to create a connection to external vault controlled by the attacker and then separately accepting application from it.

CVSS 3.1 Score: 7.5

CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-280 Improper Handling of Insufficient Permissions or Privileges

CAPEC: CAPEC-212 Functionality Misuse

Internal ID: 161636

Date issued: 2023-05-25

LINKS

https://www.cve.org/CVERecord?id=CVE-2023-2480

HISTORY

2023-05-25 Published

Priority:

Critical*