CVE-2023-5523 - OpenCVE

Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
M-files	Web Companion

Configuration 1 [-]

OR	cpe:2.3:a:m-files:web_companion:::::lts:::*
	cpe:2.3:a:m-files:web_companion:::::-:::*
	cpe:2.3:a:m-files:web_companion:23.8:-:::lts:::*

No data.

References

Link	Providers
https://product.m-files.com/security-advisories/cve-2023-5523/
https://www.m-files.com/about/trust-center/security-advisories/cve-2023-5523/

History

Wed, 28 Aug 2024 19:30:00 +0000

Type	Values Removed	Values Added
References		https://www.m-files.com/about/trust-center/security-advisories/cve-2023-5523/

Wed, 28 Aug 2024 09:45:00 +0000

Type	Values Removed	Values Added
References	https://www.m-files.com/about/trust-center/security-advisories/cve-2023-5523/

Wed, 28 Aug 2024 08:45:00 +0000

Type	Values Removed	Values Added
Description	Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution	Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows Remote Code Execution
References		https://product.m-files.com/security-advisories/cve-2023-5523/

MITRE

Status: PUBLISHED

Assigner: M-Files Corporation

Published: 2023-10-20T06:40:29.555Z

Updated: 2024-08-28T18:31:19.837Z

Reserved: 2023-10-11T13:17:44.566Z

Link: CVE-2023-5523

Vulnrichment

Updated: 2024-08-02T07:59:44.699Z

NVD

Status : Modified

Published: 2023-10-20T07:15:17.650

Modified: 2024-08-28T09:15:09.550

Link: CVE-2023-5523

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5523", "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "state": "PUBLISHED", "assignerShortName": "M-Files Corporation", "dateReserved": "2023-10-11T13:17:44.566Z", "datePublished": "2023-10-20T06:40:29.555Z", "dateUpdated": "2024-08-28T18:31:19.837Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Web Companion", "vendor": "M-Files", "versions": [{"lessThan": "23.10", "status": "affected", "version": "23.3", "versionType": "custom"}, {"status": "unaffected", "version": "23.8 LTS SR1"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Anton Keskisaari / Second Nature Security"}], "datePublic": "2023-10-20T12:35:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows \n\n<span style=\"background-color: rgb(255, 255, 255);\">Remote Code Execution</span> <br><br>"}], "value": "Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows \n\nRemote Code Execution"}], "exploits": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "None publicly available"}], "value": "None publicly available"}], "impacts": [{"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253 Remote Code Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "shortName": "M-Files Corporation", "dateUpdated": "2024-08-28T08:24:09.293Z"}, "references": [{"url": "https://product.m-files.com/security-advisories/cve-2023-5523/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to fixed version"}], "value": "Update to fixed version"}], "source": {"defect": ["168401"], "discovery": "EXTERNAL"}, "title": "M-Files Web Companion allows Remote Code Execution", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:59:44.699Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-5523/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-28T18:30:59.559937Z", "id": "CVE-2023-5523", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T18:31:19.837Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-5523/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:59:44.699Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-5523", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-28T18:30:59.559937Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-28T18:31:10.605Z"}}], "cna": {"title": "M-Files Web Companion allows Remote Code Execution", "source": {"defect": ["168401"], "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Anton Keskisaari / Second Nature Security"}], "impacts": [{"capecId": "CAPEC-253", "descriptions": [{"lang": "en", "value": "CAPEC-253 Remote Code Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "M-Files", "product": "Web Companion", "versions": [{"status": "affected", "version": "23.3", "lessThan": "23.10", "versionType": "custom"}, {"status": "unaffected", "version": "23.8 LTS SR1"}], "defaultStatus": "unaffected"}], "exploits": [{"lang": "en", "value": "None publicly available", "supportingMedia": [{"type": "text/html", "value": "None publicly available", "base64": false}]}], "solutions": [{"lang": "en", "value": "Update to fixed version", "supportingMedia": [{"type": "text/html", "value": "Update to fixed version", "base64": false}]}], "datePublic": "2023-10-20T12:35:00.000Z", "references": [{"url": "https://product.m-files.com/security-advisories/cve-2023-5523/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows \n\nRemote Code Execution", "supportingMedia": [{"type": "text/html", "value": "Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows \n\n<span style=\"background-color: rgb(255, 255, 255);\">Remote Code Execution</span> <br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere"}]}], "providerMetadata": {"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "shortName": "M-Files Corporation", "dateUpdated": "2024-08-28T08:24:09.293Z"}}}, "cveMetadata": {"cveId": "CVE-2023-5523", "state": "PUBLISHED", "dateUpdated": "2024-08-28T18:31:19.837Z", "dateReserved": "2023-10-11T13:17:44.566Z", "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "datePublished": "2023-10-20T06:40:29.555Z", "assignerShortName": "M-Files Corporation"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:m-files:web_companion:*:*:*:*:lts:*:*:*", "matchCriteriaId": "4A13E967-9494-4FA8-AE96-503DACD92325", "versionEndExcluding": "23.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:m-files:web_companion:*:*:*:*:-:*:*:*", "matchCriteriaId": "8442CD82-5B17-4837-831B-BB1F4B4BC333", "versionEndExcluding": "23.10", "versionStartIncluding": "23.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:m-files:web_companion:23.8:-:*:*:lts:*:*:*", "matchCriteriaId": "F039E21F-58D0-4BBC-B41E-EFE922009296", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows \n\nRemote Code Execution"}, {"lang": "es", "value": "Ejecuci\u00f3n de falla de contenido descargado en M-Files Web Companion antes de la versi\u00f3n 23.10 y versiones de lanzamiento del servicio LTS anteriores a 23.8 LTS SR1 permite la ejecuci\u00f3n remota de c\u00f3digo"}], "id": "CVE-2023-5523", "lastModified": "2024-08-28T09:15:09.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "security@m-files.com", "type": "Secondary"}]}, "published": "2023-10-20T07:15:17.650", "references": [{"source": "security@m-files.com", "url": "https://product.m-files.com/security-advisories/cve-2023-5523/"}], "sourceIdentifier": "security@m-files.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-829"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-829"}], "source": "security@m-files.com", "type": "Secondary"}]}