CVE-2025-13008

Summary

An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 allows an authenticated attacker using M-Files Web to capture session tokens of other active users.

Affected Software

VendorProductVersion RangeStatus
M-Files CorporationM-Files Server0 < 25.12.15491.7affected
M-Files CorporationM-Files Server25.8.15085.18unaffected
M-Files CorporationM-Files Server25.2.14524.14unaffected
M-Files CorporationM-Files Server24.8.13981.17unaffected

Weaknesses

  • CWE-359: CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References