CVE-2023-2325
📋 TL;DR
This is a stored cross-site scripting (XSS) vulnerability in M-Files Classic Web that allows attackers to inject malicious scripts into HTML documents. When users view these documents, the scripts execute in their browsers, potentially compromising their sessions or stealing sensitive data. Affected users include anyone using vulnerable versions of M-Files Classic Web.
💻 Affected Systems
- M-Files Classic Web
📦 What is this software?
Classic Web by M Files
Classic Web by M Files
Classic Web by M Files
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, hijack user sessions, perform actions on behalf of authenticated users, or deploy malware to client systems.
Likely Case
Attackers steal session cookies or authentication tokens to gain unauthorized access to the M-Files system, potentially accessing sensitive documents and metadata.
If Mitigated
With proper input validation and output encoding, malicious scripts would be neutralized before reaching user browsers, preventing execution.
🎯 Exploit Status
Requires ability to upload or create HTML documents within the system, typically needing some level of access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.10 or later, or LTS versions 23.2 LTS SR4, 23.8 LTS SR1 or later
Vendor Advisory: https://product.m-files.com/security-advisories/cve-2023-2325/
Restart Required: Yes
Instructions:
1. Backup your M-Files configuration and data. 2. Download the patched version from M-Files customer portal. 3. Run the installer on your M-Files server. 4. Restart the M-Files service and IIS. 5. Verify the update in M-Files Admin.
🔧 Temporary Workarounds
Restrict HTML Document Uploads
allConfigure M-Files to block or restrict HTML file uploads through metadata-based rules.
Implement Content Security Policy
windowsAdd CSP headers to restrict script execution from untrusted sources.
Add to web.config: <add name="Content-Security-Policy" value="default-src 'self'; script-src 'self'" />
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user-supplied HTML content.
- Monitor and audit HTML document uploads and access patterns for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check M-Files version in Admin console under Help > About. If version is below 23.10, or below 23.2 LTS SR4/23.8 LTS SR1 for LTS versions, system is vulnerable.Check Version:
In M-Files Admin: Help > About displays version.Verify Fix Applied:
After patching, verify version shows 23.10 or higher, or appropriate LTS patch level. Test by attempting to upload HTML with script tags - they should be sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual HTML file uploads from unexpected users
- Multiple failed script injection attempts in web server logs
- Suspicious document access patterns
Network Indicators:
- Unexpected outbound connections from client browsers after viewing documents
- Data exfiltration patterns from the M-Files web interface
SIEM Query:
source="m-files-logs" AND (event="file_upload" AND file_extension="html") OR (event="document_access" AND user_agent_contains="script")