CVE-2024-6124 - Vulnerability Details - OpenCVE

Reflected XSS in M-Files Hubshare before version 5.0.6.0 allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser session

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00169.

Key SSVC decision points have not yet been added.

Vendors	Products
M-files	Hubshare

Configuration 1 [-]

cpe:2.3:a:m-files:hubshare:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-47271	Reflected XSS in M-Files Hubshare before version 5.0.6.0 allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser session

Fixes

Solution

Update to a patched version

Workaround

No workaround given by the vendor.

References

Link	Providers
https://product.m-files.com/security-advisories/cve-2024-6124/
https://www.m-files.com/about/trust-center/security-advisories/cve-2024-6124/

History

Tue, 27 Aug 2024 11:00:00 +0000

Type	Values Removed	Values Added
References		https://product.m-files.com/security-advisories/cve-2024-6124/

Thu, 08 Aug 2024 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		M-files M-files hubshare
CPEs		cpe:2.3:a:m-files:hubshare::::::::
Vendors & Products		M-files M-files hubshare
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: M-Files Corporation

Published: 2024-07-29T13:00:33.825Z

Updated: 2024-08-27T10:52:19.231Z

Reserved: 2024-06-18T13:29:45.431Z

Link: CVE-2024-6124

Vulnrichment

Updated: 2024-08-01T21:33:04.863Z

NVD

Status : Modified

Published: 2024-07-29T13:15:10.810

Modified: 2024-11-21T09:49:00.767

Link: CVE-2024-6124

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6124", "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "state": "PUBLISHED", "assignerShortName": "M-Files Corporation", "dateReserved": "2024-06-18T13:29:45.431Z", "datePublished": "2024-07-29T13:00:33.825Z", "dateUpdated": "2024-08-27T10:52:19.231Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Hubshare", "vendor": "M-Files Corporation", "versions": [{"lessThan": "5.0.6.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Markus Tirrenberg / WithSecure"}, {"lang": "en", "type": "finder", "value": "Emma Kantanen / WithSecure"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Reflected XSS in M-Files Hubshare before version 5.0.6.0 allows <span style=\"background-color: rgb(255, 255, 255);\">an attacker to execute arbitrary JavaScript code in the context of the victim's browser session</span><br>"}], "value": "Reflected XSS in M-Files Hubshare before version 5.0.6.0 allows\u00a0an attacker to execute arbitrary JavaScript code in the context of the victim's browser session"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.5, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "CLEAR", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/RE:M/U:Clear", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "shortName": "M-Files Corporation", "dateUpdated": "2024-08-27T10:52:19.231Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://product.m-files.com/security-advisories/cve-2024-6124/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to a patched version"}], "value": "Update to a patched version"}], "source": {"discovery": "EXTERNAL"}, "title": "Reflected XSS in Hubshare via Open Redirect", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-29T13:50:48.600240Z", "id": "CVE-2024-6124", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-29T13:50:55.129Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:33:04.863Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2024-6124/"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2024-6124/", "tags": ["vendor-advisory", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:33:04.863Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6124", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-29T13:50:48.600240Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-29T13:50:52.485Z"}}], "cna": {"title": "Reflected XSS in Hubshare via Open Redirect", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Markus Tirrenberg / WithSecure"}, {"lang": "en", "type": "finder", "value": "Emma Kantanen / WithSecure"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "CAPEC-591 Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/RE:M/U:Clear", "providerUrgency": "CLEAR", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "M-Files Corporation", "product": "Hubshare", "versions": [{"status": "affected", "version": "0", "lessThan": "5.0.6.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to a patched version", "supportingMedia": [{"type": "text/html", "value": "Update to a patched version", "base64": false}]}], "references": [{"url": "https://product.m-files.com/security-advisories/cve-2024-6124/", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Reflected XSS in M-Files Hubshare before version 5.0.6.0 allows\u00a0an attacker to execute arbitrary JavaScript code in the context of the victim's browser session", "supportingMedia": [{"type": "text/html", "value": "Reflected XSS in M-Files Hubshare before version 5.0.6.0 allows <span style=\"background-color: rgb(255, 255, 255);\">an attacker to execute arbitrary JavaScript code in the context of the victim's browser session</span><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "shortName": "M-Files Corporation", "dateUpdated": "2024-08-27T10:52:19.231Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6124", "state": "PUBLISHED", "dateUpdated": "2024-08-27T10:52:19.231Z", "dateReserved": "2024-06-18T13:29:45.431Z", "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "datePublished": "2024-07-29T13:00:33.825Z", "assignerShortName": "M-Files Corporation"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:m-files:hubshare:*:*:*:*:*:*:*:*", "matchCriteriaId": "CF69DBD6-AB20-497F-AA46-9881B022C0EE", "versionEndExcluding": "5.0.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Reflected XSS in M-Files Hubshare before version 5.0.6.0 allows\u00a0an attacker to execute arbitrary JavaScript code in the context of the victim's browser session"}, {"lang": "es", "value": " XSS reflejado en M-Files Hubshare anterior a la versi\u00f3n 5.0.6.0 permite a un atacante ejecutar c\u00f3digo JavaScript arbitrario en el contexto de la sesi\u00f3n del navegador de la v\u00edctima"}], "id": "CVE-2024-6124", "lastModified": "2024-11-21T09:49:00.767", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "CLEAR", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Clear", "version": "4.0", "vulnerabilityResponseEffort": "MODERATE", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "security@m-files.com", "type": "Secondary"}]}, "published": "2024-07-29T13:15:10.810", "references": [{"source": "security@m-files.com", "url": "https://product.m-files.com/security-advisories/cve-2024-6124/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2024-6124/"}], "sourceIdentifier": "security@m-files.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@m-files.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}