Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN906
_____________________________________________________________________

DATE                : 26/12/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running M-Files Server versions prior
                      to 25.12.15491.7, LTS 25.8 SR3 (25.8.15085.18),
          LTS 25.2 SR3 (25.2.14524.14), LTS 24.8 SR5 (24.8.13981.17).

=====================================================================
https://product.m-files.com/security-advisories/cve-2025-13008/
_____________________________________________________________________


CVE-2025-13008: Session Token Disclosure in M-Files Web


DESCRIPTION

An information disclosure vulnerability in M-Files Server before
versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5
allows an authenticated attacker using M-Files Web to capture
session tokens of other active users.


AFFECTED PRODUCTS

M-Files Server before 25.12.15491.7
M-Files Server before LTS 25.8 SR3 (25.8.15085.18)
M-Files Server before LTS 25.2 SR3 (25.2.14524.14)
M-Files Server before LTS 24.8 SR5 (24.8.13981.17)


MORE INFORMATION

The vulnerability exists in M-Files Web and requires an authenticated
attacker. The victim must be actively using M-Files Web and doing
specific client operations. An attacker could obtain session tokens
of other users to impersonate them and perform actions with their
identity and permissions.

CVSS 4.0 Base Score (CVSS-B): 8.6

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CWE: CWE-359: Exposure of Private Personal Information to an Unauthorized
Actor

CAPEC: CAPEC-60: Reusing Session IDs (aka Session Replay)

Internal ID: CE-2194

Date issued: 2025-12-19

Alternate IDs: EUVD-2025-204468


EXPLOITABILITY

Publicly disclosed: No
Exploited: No
Probability of exploitation: Low – responsibly reported


LINKS

https://www.cve.org/CVERecord?id=CVE-2025-13008

https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-204468


HISTORY

2025-12-19 Published

© 2025 - M-Files, All Rights Re

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================