CVE-2023-2325 (GCVE-0-2023-2325)
Vulnerability from cvelistv5 – Published: 2023-10-20 06:39 – Updated: 2024-08-28 20:06
VLAI?
Summary
Stored XSS Vulnerability in M-Files Classic Web versions before 23.10 and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| M-Files | M-Files Web |
Affected:
0 , < 23.10
(custom)
Unaffected: 23.2 LTS SR4 Unaffected: 23.8 LTS SR1 |
Credits
Thomas Riedmaier / Siemens Energy
Abian Blome / Siemens Energy
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:19:14.651Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-2325/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-2325",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-28T20:06:44.113282Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T20:06:58.799Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "M-Files Web",
"vendor": "M-Files",
"versions": [
{
"lessThan": "23.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "23.2 LTS SR4"
},
{
"status": "unaffected",
"version": "23.8 LTS SR1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Thomas Riedmaier / Siemens Energy"
},
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Abian Blome / Siemens Energy"
}
],
"datePublic": "2023-10-19T12:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Stored XSS Vulnerability in M-Files Classic Web versions before 23.10\u0026nbsp;a\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003end LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "Stored XSS Vulnerability in M-Files Classic Web versions before 23.10\u00a0and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T08:51:42.735Z",
"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"shortName": "M-Files Corporation"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://product.m-files.com/security-advisories/cve-2023-2325/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to fixed version"
}
],
"value": "Update to fixed version"
}
],
"source": {
"defect": [
"167253"
],
"discovery": "EXTERNAL"
},
"title": "Stored XSS Vulnerability in M-Files Classic Web",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410",
"assignerShortName": "M-Files Corporation",
"cveId": "CVE-2023-2325",
"datePublished": "2023-10-20T06:39:44.747Z",
"dateReserved": "2023-04-27T08:15:36.501Z",
"dateUpdated": "2024-08-28T20:06:58.799Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:m-files:classic_web:*:*:*:*:-:*:*:*\", \"versionEndExcluding\": \"23.10\", \"matchCriteriaId\": \"28E12800-4297-4473-B24F-9D71897DB877\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:m-files:classic_web:23.2:-:*:*:lts:*:*:*\", \"matchCriteriaId\": \"4E66A68C-65E6-48E9-97DD-621B4B73D975\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:m-files:classic_web:23.8:-:*:*:lts:*:*:*\", \"matchCriteriaId\": \"B6C757FE-8BF2-4CFC-A0CF-4EDFB77C8D96\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Stored XSS Vulnerability in M-Files Classic Web versions before 23.10\\u00a0and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en las versiones M-Files Classic Web anteriores a 23.10 y LTS Service Release Versions anteriores a 23.2 LTS SR4 y 23.8 LTS SR1 permite al atacante ejecutar scripts en el navegador de los usuarios a trav\\u00e9s de un documento HTML almacenado.\"}]",
"id": "CVE-2023-2325",
"lastModified": "2024-11-21T07:58:23.477",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"security@m-files.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\", \"baseScore\": 7.3, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 5.2}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}]}",
"published": "2023-10-20T07:15:15.213",
"references": "[{\"url\": \"https://product.m-files.com/security-advisories/cve-2023-2325/\", \"source\": \"security@m-files.com\"}, {\"url\": \"https://www.m-files.com/about/trust-center/security-advisories/cve-2023-2325/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "security@m-files.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"security@m-files.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-2325\",\"sourceIdentifier\":\"security@m-files.com\",\"published\":\"2023-10-20T07:15:15.213\",\"lastModified\":\"2024-11-21T07:58:23.477\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Stored XSS Vulnerability in M-Files Classic Web versions before 23.10\u00a0and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de Cross-Site Scripting (XSS) Almacenado en las versiones M-Files Classic Web anteriores a 23.10 y LTS Service Release Versions anteriores a 23.2 LTS SR4 y 23.8 LTS SR1 permite al atacante ejecutar scripts en el navegador de los usuarios a trav\u00e9s de un documento HTML almacenado.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security@m-files.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":7.3,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security@m-files.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:m-files:classic_web:*:*:*:*:-:*:*:*\",\"versionEndExcluding\":\"23.10\",\"matchCriteriaId\":\"28E12800-4297-4473-B24F-9D71897DB877\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:m-files:classic_web:23.2:-:*:*:lts:*:*:*\",\"matchCriteriaId\":\"4E66A68C-65E6-48E9-97DD-621B4B73D975\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:m-files:classic_web:23.8:-:*:*:lts:*:*:*\",\"matchCriteriaId\":\"B6C757FE-8BF2-4CFC-A0CF-4EDFB77C8D96\"}]}]}],\"references\":[{\"url\":\"https://product.m-files.com/security-advisories/cve-2023-2325/\",\"source\":\"security@m-files.com\"},{\"url\":\"https://www.m-files.com/about/trust-center/security-advisories/cve-2023-2325/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.m-files.com/about/trust-center/security-advisories/cve-2023-2325/\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T06:19:14.651Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-2325\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-08-28T20:06:44.113282Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-08-28T20:06:52.944Z\"}}], \"cna\": {\"title\": \"Stored XSS Vulnerability in M-Files Classic Web\", \"source\": {\"defect\": [\"167253\"], \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Thomas Riedmaier / Siemens Energy\"}, {\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Abian Blome / Siemens Energy\"}], \"impacts\": [{\"capecId\": \"CAPEC-592\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-592 Stored XSS\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"M-Files\", \"product\": \"M-Files Web\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"23.10\", \"versionType\": \"custom\"}, {\"status\": \"unaffected\", \"version\": \"23.2 LTS SR4\"}, {\"status\": \"unaffected\", \"version\": \"23.8 LTS SR1\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update to fixed version\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Update to fixed version\", \"base64\": false}]}], \"datePublic\": \"2023-10-19T12:00:00.000Z\", \"references\": [{\"url\": \"https://product.m-files.com/security-advisories/cve-2023-2325/\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Stored XSS Vulnerability in M-Files Classic Web versions before 23.10\\u00a0and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Stored XSS Vulnerability in M-Files Classic Web versions before 23.10\u0026nbsp;a\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003end LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"bcf7a16e-bfdc-46e4-9e42-4187da3f4410\", \"shortName\": \"M-Files Corporation\", \"dateUpdated\": \"2024-08-28T08:51:42.735Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2023-2325\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-28T20:06:58.799Z\", \"dateReserved\": \"2023-04-27T08:15:36.501Z\", \"assignerOrgId\": \"bcf7a16e-bfdc-46e4-9e42-4187da3f4410\", \"datePublished\": \"2023-10-20T06:39:44.747Z\", \"assignerShortName\": \"M-Files Corporation\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…