CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-23835
https://notcve.org/view.php?id=CVE-2023-23835
14 Feb 2023 — A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.34), Mendix Applications using Mendix 8 (All versions < V8.18.23), Mendix Applications using Mendix 9 (All versions < V9.22.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.10), Mendix Applications using Mendix 9 (V9.18) (All versions < V9.18.4), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.15). Some of the Mendix runtime API’s allow attackers to bypass XPath constraints and ... • https://cert-portal.siemens.com/productcert/pdf/ssa-252808.pdf • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-34466
https://notcve.org/view.php?id=CVE-2022-34466
12 Jul 2022 — A vulnerability has been identified in Mendix Applications using Mendix 9 (All versions >= V9.11 < V9.15), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.3). An expression injection vulnerability was discovered in the Workflow subsystem of Mendix Runtime, that can affect the running applications. The vulnerability could allow a malicious user to leak sensitive information in a certain configuration. Se ha identificado una vulnerabilidad en las aplicaciones Mendix usando Mendix 9 (Todas las... • https://cert-portal.siemens.com/productcert/pdf/ssa-492173.pdf • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-31257
https://notcve.org/view.php?id=CVE-2022-31257
12 Jul 2022 — A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.31), Mendix Applications using Mendix 8 (All versions < V8.18.18), Mendix Applications using Mendix 9 (All versions < V9.14.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.2), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.12). In case of access to an active user session in an application that is built with an affected version, it’s possible to change that user’s password bypa... • https://cert-portal.siemens.com/productcert/pdf/ssa-433782.pdf • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27241
https://notcve.org/view.php?id=CVE-2022-27241
12 Apr 2022 — A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.31), Mendix Applications using Mendix 8 (All versions < V8.18.18), Mendix Applications using Mendix 9 (All versions < V9.11), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.12). Applications built with an affected system publicly expose the internal project structure. This could allow an unauthenticated remote attacker to read confidential information. Se ha identificado una vulnerabilidad en las ... • https://cert-portal.siemens.com/productcert/pdf/ssa-414513.pdf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-25650
https://notcve.org/view.php?id=CVE-2022-25650
12 Apr 2022 — A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.27), Mendix Applications using Mendix 8 (All versions < V8.18.14), Mendix Applications using Mendix 9 (All versions < V9.12.0), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.3). When querying the database, it is possible to sort the results using a protected field. With this an authenticated attacker could extract information about the contents of a protected field. Se ha identificado una vulnera... • https://cert-portal.siemens.com/productcert/pdf/ssa-870917.pdf • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26317
https://notcve.org/view.php?id=CVE-2022-26317
08 Mar 2022 — A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.29). When returning the result of a completed Microflow execution call the affected framework does not correctly verify, if the request was initially made by the user requesting the result. Together with predictable identifiers for Microflow execution calls, this could allow a malicious attacker to retrieve information about arbitrary Microflow execution calls made by users within the affected system. Se ha ident... • https://cert-portal.siemens.com/productcert/pdf/ssa-415938.pdf • CWE-284: Improper Access Control CWE-330: Use of Insufficiently Random Values •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-24309
https://notcve.org/view.php?id=CVE-2022-24309
08 Mar 2022 — A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.29), Mendix Applications using Mendix 8 (All versions < V8.18.16), Mendix Applications using Mendix 9 (All versions < V9.13 only with Runtime Custom Setting *DataStorage.UseNewQueryHandler* set to False). If an entity has an association readable by the user, then in some cases, Mendix Runtime may not apply checks for XPath constraints that parse said associations, within apps running on affected versions. A malic... • https://cert-portal.siemens.com/productcert/html/ssa-148641.html • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-42026
https://notcve.org/view.php?id=CVE-2021-42026
09 Nov 2021 — A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control read access for certain client actions. This could allow authenticated attackers to retrieve the changedDate attribute of arbitrary objects, even when they don't have read access to them. Se ha identificado una vulnerabilidad en las aplicaciones de Mendix que usan... • https://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf • CWE-863: Incorrect Authorization •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-42025
https://notcve.org/view.php?id=CVE-2021-42025
09 Nov 2021 — A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control write access for certain client actions. This could allow authenticated attackers to manipulate the content of System.FileDocument objects in some cases, regardless whether they have write access to it. Se ha identificado una vulnerabilidad en las aplicaciones de ... • https://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-42015
https://notcve.org/view.php?id=CVE-2021-42015
09 Nov 2021 — A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.26), Mendix Applications using Mendix 8 (All versions < V8.18.12), Mendix Applications using Mendix 9 (All versions < V9.6.1). Applications built with affected versions of Mendix Studio Pro do not prevent file documents from being cached when files are opened or downloaded using a browser. This could allow a local attacker to read those documents by exploring the browser cache. Se ha identificado una vulnerabilid... • https://cert-portal.siemens.com/productcert/pdf/ssa-338732.pdf • CWE-525: Use of Web Browser Cache Containing Sensitive Information •