CVE-2024-10126 & CVE-2024-10127: M-Files Addresses File Inclusion and Authentication Bypass Flaws
M-Files, a leading provider of information management solutions, has released security updates to address two vulnerabilities in its server software. The vulnerabilities, identified as CVE-2024-10126 and CVE-2024-10127, could allow attackers to read sensitive files or bypass authentication under certain conditions.
CVE-2024-10126 (CVSSv4 5.3) is a local file inclusion vulnerability that could allow an authenticated user to access files on the server. This vulnerability exists in M-Files Server versions before 24.11 (excluding 24.8 SR1, 24.2 SR3, and 23.8 SR7). As stated in the advisory, the vulnerability allows an attacker to “read server local files of a limited set of filetypes via document preview.”
CVE-2024-10127 (CVSSv4 9.2) is an authentication bypass vulnerability that affects M-Files Server versions before 24.11 when configured with LDAP authentication. This vulnerability could allow attackers to gain access to the server without providing a password if the LDAP server is misconfigured to allow anonymous binding. The advisory clarifies that “anonymous binding is not enabled by default in LDAP servers.”
M-Files urges all users to update their server software to version 24.11 or later to mitigate these vulnerabilities. The company emphasizes that “the issue can be remediated by updating the M-Files server to a patched version.”
