M-server Security Vulnerabilities
Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing...
7.5CVSS
6.8AI Score
0.0004EPSS
Denial of service condition in M-Files Server in versions before 24.2 (excluding 23.2 SR7 and 23.8 SR5) allows anonymous user to cause denial of service against other anonymous...
4.3CVSS
4.6AI Score
0.0004EPSS
Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing...
9.8CVSS
9.4AI Score
0.001EPSS
A vulnerable API method in M-Files Server before 23.12.13195.0 allows for uncontrolled resource consumption. Authenticated attacker can exhaust server storage space to a point where the server can no longer serve...
6.5CVSS
6.4AI Score
0.0004EPSS
Under rare conditions, the effective permissions of an object might be incorrectly calculated if the object has a specific configuration of metadata-driven permissions in M-Files Server versions 23.9, 23.10, and 23.11 before 23.11.13168.7, potentially enabling unauthorized access to the...
8.8CVSS
8.5AI Score
0.001EPSS
A possibility of unwanted server memory consumption was detected through the obsolete functionalities in the Rest API methods of the M-Files server before 23.11.13156.0 which allows attackers to execute DoS...
7.5CVSS
7.6AI Score
0.0005EPSS
Missing access permissions checks in the M-Files server before 23.11.13156.0 allow attackers to perform data write and export jobs using the M-Files API...
5.3CVSS
5.3AI Score
0.0005EPSS
Digi RealPort Protocol is vulnerable to a replay attack that may allow an attacker to bypass authentication to access connected...
9CVSS
8.1AI Score
0.001EPSS
Out-of-bounds read issue in M-Files Server versions below 23.8.12892.6 and LTS Service Release Versions before 23.2 LTS SR3 allows unauthenticated user to read restricted amount of bytes from...
6.5CVSS
5.2AI Score
0.001EPSS
Unchecked parameter value in M-Files Server in versions before 23.6.12695.3 (excluding 23.2 SR2 and newer) allows anonymous user to cause denial of...
7.5CVSS
7.3AI Score
0.0005EPSS
Desktop component service allows lateral movement between sessions in M-Files before...
7.8CVSS
7.5AI Score
0.0004EPSS
User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory consumption for a scheduled...
7.5CVSS
7.4AI Score
0.001EPSS
User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory...
7.5CVSS
7.4AI Score
0.001EPSS
User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1 due to uncontrolled memory...
6.5CVSS
6.4AI Score
0.001EPSS
Rendering of HTML provided by another authenticated user is possible in browser on M-Files Web before 22.12.12140.3. This allows the content to steal user sensitive information. This issue affects M-Files New Web: before...
7.6CVSS
7.2AI Score
0.001EPSS
Download key for a file in a vault was passed in an insecure way that could easily be logged in M-Files New Web in M-Files before 22.11.12011.0. This issue affects M-Files New Web: before...
7.5CVSS
7.5AI Score
0.001EPSS
Insertion of Sensitive Information into Log Files in M-Files Server before 22.10.11846.0 could allow to obtain sensitive tokens from logs, if specific configurations were...
7.5CVSS
7.3AI Score
0.002EPSS
Incorrect privilege assignment issue in M-Files Web in M-Files Web versions before 22.5.11436.1 could have changed permissions...
2.6CVSS
4.2AI Score
0.001EPSS
Error in parser function in M-Files Server versions before 22.6.11534.1 and before 22.6.11505.0 allowed unauthenticated access to some information of the underlying operating...
5.3CVSS
5.2AI Score
0.001EPSS
Incorrect privilege assignment in M-Files Server versions before 22.3.11164.0 and before 22.3.11237.1 allows user to read unmanaged...
4.3CVSS
4.6AI Score
0.001EPSS
Admin tool allows storing configuration data with script which may then get run by another vault administrator. Requires vault admin level authentication and is not remotely...
5.2CVSS
5.3AI Score
0.001EPSS
SSRF vulnerability in M-Files Server products with versions before 22.1.11017.1, in a preview function allowed making queries from the server with certain document types referencing external...
4.3CVSS
4.6AI Score
0.001EPSS
In M-Files Server product with versions before 21.11.10775.0, enabling logging of Federated authentication to event log wrote sensitive information to log. Mitigating factors are logging is disabled by...
2.3CVSS
3.9AI Score
0.0004EPSS
Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts...
9.8CVSS
9.3AI Score
0.003EPSS
In Digi RealPort through 4.10.490, authentication relies on a challenge-response mechanism that gives access to the server password, making the protection ineffective. An attacker may send an unauthenticated request to the server. The server will reply with a weakly-hashed version of the server's.....
9.8CVSS
9.5AI Score
0.002EPSS
An issue was discovered in Digi RealPort through 4.8.488.0. The 'encrypted' mode is vulnerable to man-in-the-middle attacks and does not perform...
8.1CVSS
7.9AI Score
0.001EPSS
An issue was discovered in Digi RealPort for Windows through 4.8.488.0. A buffer overflow exists in the handling of ADDP discovery response messages. This could result in arbitrary code...
9.8CVSS
9.8AI Score
0.003EPSS
An OpenSSL TLS server may crash if sent a maliciously crafted renegotiation ClientHello message from a client. If a TLSv1.2 renegotiation ClientHello omits the signature_algorithms extension (where it was present in the initial ClientHello), but includes a signature_algorithms_cert extension then.....
5.9CVSS
6.5AI Score
0.005EPSS
Incomplete cleanup from specific special register read operations in some Intel(R) Processors may allow an authenticated user to potentially enable information disclosure via local...
5.5CVSS
6.3AI Score
0.001EPSS
Insufficient folder permissions used by system functions in ABB System 800xA products OPCServer for AC800M (versions 6.0 and earlier) and Control Builder M Professional, MMSServer for AC800M, Base Software for SoftControl (version 6.1 and earlier) allow low privileged users to read, modify, add...
7.8CVSS
7.5AI Score
0.0004EPSS
Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R) Processors may allow an authenticated user to potentially enable denial of service of the host system via local...
6.5CVSS
7AI Score
0.0005EPSS
Insufficient access control in a subsystem for Intel (R) processor graphics in 6th, 7th, 8th and 9th Generation Intel(R) Core(TM) Processor Families; Intel(R) Pentium(R) Processor J, N, Silver and Gold Series; Intel(R) Celeron(R) Processor J, N, G3900 and G4900 Series; Intel(R) Atom(R) Processor A....
7.8CVSS
8.2AI Score
0.0004EPSS
A XSS vulnerability was found in module m-server <1.4.2 that allows malicious Javascript code or HTML to be executed, due to the lack of escaping for special characters in folder...
5.4CVSS
5.3AI Score
0.001EPSS
Path Traversal vulnerability in module m-server <1.4.1 allows malicious user to access unauthorized content of any file in the directory tree e.g. /etc/passwd by appending slashes to the URL...
6.5CVSS
6.3AI Score
0.001EPSS
The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation...
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a speculative buffer overflow and side-channel...
5.6CVSS
6.3AI Score
0.001EPSS
Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis, aka Speculative Store....
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel...
5.6CVSS
6.1AI Score
0.976EPSS
Heap-based buffer overflow in dnsmasq before 2.78 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS...
9.8CVSS
9.1AI Score
0.303EPSS
The SMB Mailslot parsing functionality in PAM in multiple ISS products with XPU (24.39/1.78/epj/x.x.x.1780), including Proventia A, G, M, Server, and Desktop, BlackICE PC and Server Protection 3.6, and RealSecure 7.0, allows remote attackers to cause a denial of service (infinite loop) via a...
6.6AI Score
0.103EPSS
Double free vulnerability in isode.eddy in Isode M-Vault Server 11.3 allows remote attackers to execute arbitrary code via a crafted LDAP request, as demonstrated by ProtoVer Sample...
7.6AI Score
0.192EPSS
Heap-based buffer overflow in the ISS Protocol Analysis Module (PAM), as used in certain versions of RealSecure Network 7.0 and Server Sensor 7.0, Proventia A, G, and M Series, RealSecure Desktop 7.0 and 3.6, RealSecure Guard 3.6, RealSecure Sentry 3.6, BlackICE PC Protection 3.6, and BlackICE...
8.2AI Score
0.244EPSS
Multiple stack-based buffer overflows in the ICQ parsing routines of the ISS Protocol Analysis Module (PAM) component, as used in various RealSecure, Proventia, and BlackICE products, allow remote attackers to execute arbitrary code via a SRV_MULTI response containing a SRV_USER_ONLINE response...
7.7AI Score
0.962EPSS