CVE-2024-10127

Name of the Vulnerable Software and Affected Versions: M-Files Server versions prior to 24.11

Description: The issue is related to weaknesses in the authentication procedure of the M-Files Server platform, which can be exploited by a remote attacker to bypass authentication and elevate privileges. This is specifically related to the use of OpenLDAP configurations that allow user authentication without a password when the LDAP server itself has a vulnerable configuration.

Recommendations: For M-Files Server versions prior to 24.11, update to version 24.11 or later to resolve the authentication bypass condition in LDAP authentication. As a temporary workaround, consider disabling the use of OpenLDAP configurations that support anonymous binding until a patch is available. Restrict access to the LDAP authentication module to minimize the risk of exploitation.