CVE-2019-3862 M-Files Hubshare before 3.3.10.9 has XSS via a crafted PDF upload. An unauthenticated attacker can send a PDF file with XSS to the upload page, resulting in an account takeover. An attacker may send a PDF file that has XSS to the upload page of M-Files Hubshare before 3.3.10.9. An attacker may send a PDF file that has XSS to the upload page of M-Files Hubshare before 3.3.10.9. XSS in M-Files Hubshare before 3.3.10.9 allows unauthenticated attackers to perform a XSS attack via a crafted PDF upload. An attacker may send a PDF file that has XSS to the upload page of M-Files Hubshare before 3.3.10.9. An attacker may send a PDF file that has XSS to the upload page of MRedirect before 3.3.10.9. XSS in MRedirect before 3.3.10.9 allows unauthenticated attackers to perform a XSS attack via a crafted PDF upload. An attacker may send a PDF file that has XSS to the upload page of MRedirect before 3.3.10.9.

We have also encountered a case where a PDF upload with XSS resulted in an account takeover. An attacker may send a PDF file that has XSS to the upload page of PDF

Parts of M-Files Hubshare 3.3.10.9 Vulnerable to XSS

CVE-2019-3862 M-Files Hubshare before 3.3.10.9 has XSS via a crafted PDF upload. An unauthenticated attacker can send a PDF file with XSS to the upload page, resulting in an account takeover. An attacker may send a PDF file that has XSS to the upload page of M-Files Hubshare before 3.3.10.9.

CVE-2022-39016 MRedirect before 3.3.10.9 has XSS via a crafted PDF upload. An unauthenticated attacker can send a PDF file with XSS to the edit or new comment pages, resulting in an account takeover and information disclosure (in form of email addresses).

M-Files Hubshare before 3.3.10.9 has XSS via a crafted PDF upload.

M-Files Hubshare before 3.3.10.9 has XSS via a crafted PDF upload that is sent to the upload page of M-Files Hubshare before 3.3.10.9, resulting in an account takeover if the document is opened in a reader with JavaScript enabled and otherwise allows unauthenticated attackers to perform a XSS attack via a crafted PDF upload that is sent to the upload page of M-Files Hubshare before 3.3.10.9 and otherwise allows an attacker to remotely take control over other users' accounts via scripting or social engineering

XSS while uploading a file to PDF CVE-2019-3863

For more information about the vulnerability, please visit
https://www.m-files.com/security-bulletin/CVE-2019-3863

Bug Bounty Program

The vulnerability was reported to the vendor, who promptly fixed it.
The following is an excerpt of the bug bounty program.
"CVE-2022-39016
CVE-2019-3862 M-Files Hubshare before 3.3.10.9 has XSS via a crafted PDF upload. An unauthenticated attacker can send a PDF file with XSS to the upload page, resulting in an account takeover."
MRedirect before 3.3.10.9 allows unauthenticated attackers to perform a XSS attack via a crafted PDF upload. An attacker may send a PDF file that has XSS to the upload page of MRedirect before 3.3.10.9 as well as Hubshare before 3.3.10.9 and MPDF MultiSite prior to 3/12/2018 allow unauthenticated attackers to perform a XSS attack via a crafted PDF upload that results in an account takeover allowing users to view other people's files

Timeline

Published on: 10/31/2022 21:15:00 UTC
Last modified on: 11/01/2022 19:57:00 UTC

References