CVE-2023-3406

Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://product.m-files.com/security-advisories/cve-2023-3406/
https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:m-files:classic_web:::::lts:::*
	cpe:2.3:a:m-files:classic_web:::::-:::*
	cpe:2.3:a:m-files:classic_web:23.2:-:::lts:::*

History

21 Nov 2024, 08:17

Type	Values Removed	Values Added
References		() https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406 -
CVSS	v2 : ~~unknown~~ v3 : ~~6.5~~	v2 : unknown v3 : 7.7

28 Aug 2024, 09:15

Type	Values Removed	Values Added
References	~~{'url': 'https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406', 'tags': ['Vendor Advisory'], 'source': 'security@m-files.com'}~~	() https://product.m-files.com/security-advisories/cve-2023-3406/ -

31 Aug 2023, 16:26

Type	Values Removed	Values Added
CPE		cpe:2.3:a:m-files:classic_web:::::lts:::* cpe:2.3:a:m-files:classic_web:23.2:-:::lts:::* cpe:2.3:a:m-files:classic_web:::::-:::*
First Time		M-files classic Web M-files
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
CWE		CWE-22
References	~~(MISC) https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406 -~~	(MISC) https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406 - Vendor Advisory

25 Aug 2023, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-08-25 09:15

Updated : 2024-11-21 08:17

NVD link : CVE-2023-3406

Mitre link : CVE-2023-3406

CVE.ORG link : CVE-2023-3406

JSON object : View

Products Affected

m-files

classic_web

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2023-3406", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security@m-files.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-08-25T09:15:08.850", "references": [{"url": "https://product.m-files.com/security-advisories/cve-2023-3406/", "source": "security@m-files.com"}, {"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-3406", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security@m-files.com", "description": [{"lang": "en", "value": "CWE-22"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Path Traversal issue in M-Files Classic Web versions below 23.6.12695.3 and LTS Service Release Versions before 23.2 LTS SR3 allows authenticated user to read some restricted files on the web server"}, {"lang": "es", "value": "Un problema de path traversal en las versiones de M-Files Classic Web, el cual afecta a las versiones inferiores a 23.6.12695.3 y a las versiones de lanzamiento del servicio LTS inferiores a 23.2 LTS SR3. Esta vulnerabilidad permite a un usuario autenticado leer algunos archivos restringidos en el servidor web."}], "lastModified": "2024-11-21T08:17:12.073", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:m-files:classic_web:*:*:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "89B60851-49D1-40DA-A600-658BCC986BF6", "versionEndExcluding": "23.2"}, {"criteria": "cpe:2.3:a:m-files:classic_web:*:*:*:*:-:*:*:*", "vulnerable": true, "matchCriteriaId": "CE7A65F9-84AD-47E9-8C64-3585D5855FEA", "versionEndExcluding": "23.6.12695.3"}, {"criteria": "cpe:2.3:a:m-files:classic_web:23.2:-:*:*:lts:*:*:*", "vulnerable": true, "matchCriteriaId": "4E66A68C-65E6-48E9-97DD-621B4B73D975"}], "operator": "OR"}]}], "sourceIdentifier": "security@m-files.com"}