CVE-2024-6881 - Vulnerability Details - OpenCVE

Stored XSS in M-Files Hubshare versions before 5.0.6.0 allows an authenticated attacker to execute arbitrary JavaScript in user's browser session

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00147.

Key SSVC decision points have not yet been added.

Vendors	Products
M-files	Hubshare

Configuration 1 [-]

cpe:2.3:a:m-files:hubshare:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2024-47872	Stored XSS in M-Files Hubshare versions before 5.0.6.0 allows an authenticated attacker to execute arbitrary JavaScript in user's browser session

Fixes

Solution

Update to patched version

Workaround

No workaround given by the vendor.

References

Link	Providers
https://product.m-files.com/security-advisories/cve-2024-6881/
https://www.m-files.com/about/trust-center/security-advisories/cve-2024-6881/

History

Tue, 27 Aug 2024 11:00:00 +0000

Type	Values Removed	Values Added
References		https://product.m-files.com/security-advisories/cve-2024-6881/

Thu, 08 Aug 2024 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		M-files M-files hubshare
CPEs		cpe:2.3:a:m-files:hubshare::::::::
Vendors & Products		M-files M-files hubshare
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: M-Files Corporation

Published: 2024-07-29T12:56:51.695Z

Updated: 2024-08-27T10:54:23.772Z

Reserved: 2024-07-18T12:02:56.636Z

Link: CVE-2024-6881

Vulnrichment

Updated: 2024-08-01T21:45:38.367Z

NVD

Status : Modified

Published: 2024-07-29T13:15:10.990

Modified: 2024-11-21T09:50:27.293

Link: CVE-2024-6881

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-6881", "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "state": "PUBLISHED", "assignerShortName": "M-Files Corporation", "dateReserved": "2024-07-18T12:02:56.636Z", "datePublished": "2024-07-29T12:56:51.695Z", "dateUpdated": "2024-08-27T10:54:23.772Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Hubshare", "vendor": "M-Files Corporation", "versions": [{"lessThan": "5.0.6.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Markus Tirrenberg / WithSecure"}, {"lang": "en", "type": "finder", "value": "Emma Kantanen / WithSecure"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Stored XSS in M-Files Hubshare versions before 5.0.6.0 allows an authenticated attacker to execute arbitrary JavaScript in user's browser session<br><br>"}], "value": "Stored XSS in M-Files Hubshare versions before 5.0.6.0 allows an authenticated attacker to execute arbitrary JavaScript in user's browser session"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.5, "baseSeverity": "HIGH", "privilegesRequired": "LOW", "providerUrgency": "CLEAR", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/RE:M/U:Clear", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "shortName": "M-Files Corporation", "dateUpdated": "2024-08-27T10:54:23.772Z"}, "references": [{"url": "https://product.m-files.com/security-advisories/cve-2024-6881/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Update to patched version"}], "value": "Update to patched version"}], "source": {"discovery": "EXTERNAL"}, "title": "Stored XSS Vulnerability", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-30T16:15:18.816896Z", "id": "CVE-2024-6881", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-30T16:15:25.169Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:45:38.367Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2024-6881/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2024-6881/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:45:38.367Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-6881", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-30T16:15:18.816896Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-30T16:15:22.309Z"}}], "cna": {"title": "Stored XSS Vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Markus Tirrenberg / WithSecure"}, {"lang": "en", "type": "finder", "value": "Emma Kantanen / WithSecure"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/RE:M/U:Clear", "providerUrgency": "CLEAR", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "MODERATE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "M-Files Corporation", "product": "Hubshare", "versions": [{"status": "affected", "version": "0", "lessThan": "5.0.6.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update to patched version", "supportingMedia": [{"type": "text/html", "value": "Update to patched version", "base64": false}]}], "references": [{"url": "https://product.m-files.com/security-advisories/cve-2024-6881/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Stored XSS in M-Files Hubshare versions before 5.0.6.0 allows an authenticated attacker to execute arbitrary JavaScript in user's browser session", "supportingMedia": [{"type": "text/html", "value": "Stored XSS in M-Files Hubshare versions before 5.0.6.0 allows an authenticated attacker to execute arbitrary JavaScript in user's browser session<br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "shortName": "M-Files Corporation", "dateUpdated": "2024-08-27T10:54:23.772Z"}}}, "cveMetadata": {"cveId": "CVE-2024-6881", "state": "PUBLISHED", "dateUpdated": "2024-08-27T10:54:23.772Z", "dateReserved": "2024-07-18T12:02:56.636Z", "assignerOrgId": "bcf7a16e-bfdc-46e4-9e42-4187da3f4410", "datePublished": "2024-07-29T12:56:51.695Z", "assignerShortName": "M-Files Corporation"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:m-files:hubshare:*:*:*:*:*:*:*:*", "matchCriteriaId": "CF69DBD6-AB20-497F-AA46-9881B022C0EE", "versionEndExcluding": "5.0.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Stored XSS in M-Files Hubshare versions before 5.0.6.0 allows an authenticated attacker to execute arbitrary JavaScript in user's browser session"}, {"lang": "es", "value": " XSS almacenado en versiones de M-Files Hubshare anteriores a 5.0.6.0 permite a un atacante autenticado ejecutar JavaScript arbitrario en la sesi\u00f3n del navegador del usuario"}], "id": "CVE-2024-6881", "lastModified": "2024-11-21T09:50:27.293", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "CLEAR", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:M/U:Clear", "version": "4.0", "vulnerabilityResponseEffort": "MODERATE", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "HIGH"}, "source": "security@m-files.com", "type": "Secondary"}]}, "published": "2024-07-29T13:15:10.990", "references": [{"source": "security@m-files.com", "url": "https://product.m-files.com/security-advisories/cve-2024-6881/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2024-6881/"}], "sourceIdentifier": "security@m-files.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@m-files.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}