CVE-2023-3406

Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://product.m-files.com/security-advisories/cve-2023-3406/

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:m-files:classic_web:::::lts:::*
	cpe:2.3:a:m-files:classic_web:::::-:::*
	cpe:2.3:a:m-files:classic_web:23.2:-:::lts:::*

History

28 Aug 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-08-25 09:15

Updated : 2024-08-28 09:15

NVD link : CVE-2023-3406

Mitre link : CVE-2023-3406

CVE.ORG link : CVE-2023-3406

JSON object : View

Products Affected

m-files

classic_web

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2023-3406", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security@m-files.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}]}, "published": "2023-08-25T09:15:08.850", "references": [{"url": "https://product.m-files.com/security-advisories/cve-2023-3406/", "source": "security@m-files.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Secondary", "source": "security@m-files.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server"}, {"lang": "es", "value": "Un problema de path traversal en las versiones de M-Files Classic Web, el cual afecta a las versiones inferiores a 23.6.12695.3 y a las versiones de lanzamiento del servicio LTS inferiores a 23.2 LTS SR3. Esta vulnerabilidad permite a un usuario autenticado leer algunos archivos restringidos en el servidor web."}], "lastModified": "2024-08-28T09:15:08.950", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:m-files:classic_web:*:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "89B60851-49D1-40DA-A600-658BCC986BF6", "versionEndExcluding": "23.2"}, {"criteria": "cpe:2.3:a:m-files:classic_web:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "CE7A65F9-84AD-47E9-8C64-3585D5855FEA", "versionEndExcluding": "23.6.12695.3"}, {"criteria": "cpe:2.3:a:m-files:classic_web:23.2:-:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "4E66A68C-65E6-48E9-97DD-621B4B73D975"}], "operator": "OR"}]}], "sourceIdentifier": "security@m-files.com"}