CVE-2023-2480

Published: May 25, 2023Modified: Feb 23, 2026

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications

Affected (1)

Products: M Files: M Files

M Files

1 product

M Files

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
M Files M Files	Before 23.5.12598.0

Related CWEs

CWE-280

Improper Handling of Insufficient Permissions or Privileges

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (4)

https://empower.m-files.com/security-advisories/CVE-2023-2480

Source: security@m-files.com

https://product.m-files.com/security-advisories/cve-2023-2480/

Source: security@m-files.com

https://www.m-files.com/about/trust-center/security-advisories/cve-2023-2480/

Source: nvd@nist.gov

Vendor Advisory

https://https://www.m-files.com/about/trust-center/security-advisories/cve-2023-2480/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.