8.6
CVE-2025-13008
- EPSS 0.53%
- Veröffentlicht 19.12.2025 07:15:58
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle security@m-files.com
- CVE-Watchlists
- Unerledigt
Session Token Disclosure in M-Files Web
An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerM-Files Corporation
≫
Produkt
M-Files Server
Default Statusunaffected
Version
0
Version <
25.12.15491.7
Status
affected
Version
25.8.15085.18
Status
unaffected
Version
25.2.14524.14
Status
unaffected
Version
24.8.13981.17
Status
unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.53% | 0.402 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@m-files.com | 8.6 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.
https://product.m-files.com/security-advisories/cve-2025-13008
https://empower.m-files.com/security-advisories/CVE-2025-13008