CVE-2021-37253

HIGH

M-files Web < 20.10.9524.1 - HTTP Request Smuggling

Title source: rule

Description

M-Files Web before 20.10.9524.1 allows a denial of service via overlapping ranges (in HTTP requests with crafted Range or Request-Range headers). NOTE: this is disputed because the range behavior is the responsibility of the web server, not the responsibility of the individual web application

References (6)

[Vendor Advisory] https://www.m-files.com/company/trust-center/vulnerability-disclosure/

[Exploit, Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2021/Dec/1

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/165139/M-Files-Web-Denial-Of-Service.html

[Exploit, Third Party Advisory] https://www.tenable.com/cve/CVE-2021-37253

[Exploit, Third Party Advisory] https://vulmon.com/vulnerabilitydetails?qid=CVE-2021-37253

[Vendor Advisory] https://www.m-files.com/about/trust-center/security-advisories/cve-2021-37253-denial-of-service/

Scores

CVSS v3 7.5

EPSS 0.0312

EPSS Percentile 86.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-444

Status published

Products (1)

m-files/m-files_web < 20.10.9524.1

Published Dec 05, 2021

Tracked Since Feb 18, 2026