M-Files Server Information Disclosure Vulnerability Allowing Session Token Capture

Vulnerability

A vulnerability allowing information disclosure has been identified in M-Files Server versions prior to 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3, and 24.8 LTS SR5. This vulnerability allows an authenticated attacker using M-Files Web to capture session tokens from other active users. The attacker could then impersonate these users and perform actions using their identity and permissions.

Impact

Exploitation of this vulnerability allows an authenticated attacker to capture and reuse session tokens of other users, enabling impersonation and unauthorized actions on behalf of those users.

Added: Dec 19, 2025, 7:27 AM

Updated: Dec 19, 2025, 7:27 AM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

5.0

exploitability

4.6

remediation

7.7

relevance

1.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

5.0

exploitability

4.6

remediation

7.7

relevance

1.4

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

M-Files Server Information Disclosure Vulnerability Allowing Session Token Capture

Vulnerability

Impact

Affected Products

M-Files Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating