CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-31257
https://notcve.org/view.php?id=CVE-2022-31257
12 Jul 2022 — A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.31), Mendix Applications using Mendix 8 (All versions < V8.18.18), Mendix Applications using Mendix 9 (All versions < V9.14.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.2), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.12). In case of access to an active user session in an application that is built with an affected version, it’s possible to change that user’s password bypa... • https://cert-portal.siemens.com/productcert/pdf/ssa-433782.pdf • CWE-284: Improper Access Control •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-32286
https://notcve.org/view.php?id=CVE-2022-32286
14 Jun 2022 — A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions < V3.2.3). In certain configurations SAML module is vulnerable to Cross Site Scripting (XSS) attacks due to insufficient error message sanitation. This could allow an attacker to execute malicious code by tricking users into accessing a malicious link. Se ha identificado una vulnerabi... • https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-32285
https://notcve.org/view.php?id=CVE-2022-32285
14 Jun 2022 — A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions < V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances. Se ha identificado una vulnerabilidad en el módulo SAML de Mendix (compatible c... • https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-27241
https://notcve.org/view.php?id=CVE-2022-27241
12 Apr 2022 — A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.31), Mendix Applications using Mendix 8 (All versions < V8.18.18), Mendix Applications using Mendix 9 (All versions < V9.11), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.12). Applications built with an affected system publicly expose the internal project structure. This could allow an unauthenticated remote attacker to read confidential information. Se ha identificado una vulnerabilidad en las ... • https://cert-portal.siemens.com/productcert/pdf/ssa-414513.pdf • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-25650
https://notcve.org/view.php?id=CVE-2022-25650
12 Apr 2022 — A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.27), Mendix Applications using Mendix 8 (All versions < V8.18.14), Mendix Applications using Mendix 9 (All versions < V9.12.0), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.3). When querying the database, it is possible to sort the results using a protected field. With this an authenticated attacker could extract information about the contents of a protected field. Se ha identificado una vulnera... • https://cert-portal.siemens.com/productcert/pdf/ssa-870917.pdf • CWE-284: Improper Access Control •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26317
https://notcve.org/view.php?id=CVE-2022-26317
08 Mar 2022 — A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.29). When returning the result of a completed Microflow execution call the affected framework does not correctly verify, if the request was initially made by the user requesting the result. Together with predictable identifiers for Microflow execution calls, this could allow a malicious attacker to retrieve information about arbitrary Microflow execution calls made by users within the affected system. Se ha ident... • https://cert-portal.siemens.com/productcert/pdf/ssa-415938.pdf • CWE-284: Improper Access Control CWE-330: Use of Insufficiently Random Values •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-26314
https://notcve.org/view.php?id=CVE-2022-26314
08 Mar 2022 — A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1), Mendix Forgot Password Appstore module (Mendix 7 compatible) (All versions < V3.2.2). Initial passwords are generated in an insecure manner. This could allow an unauthenticated remote attacker to efficiently brute force passwords in specific situations. Se ha identificado una vulnerabilidad en el módulo Mendix Forgot Password Appstore (Todas las versiones posteriores a V3.3.0 incluyéndola, anteri... • https://cert-portal.siemens.com/productcert/pdf/ssa-134279.pdf • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-26313
https://notcve.org/view.php?id=CVE-2022-26313
08 Mar 2022 — A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1). In certain configurations of the affected product, a threat actor could use the sign up flow to hijack arbitrary user accounts. Se ha identificado una vulnerabilidad en el módulo Mendix Forgot Password Appstore (Todas las versiones posteriores a V3.3.0 incluyéndola, anteriores a V3.5.1). En determinadas configuraciones del producto afectado, un actor de amenaza podría usar el flujo de registro pa... • https://cert-portal.siemens.com/productcert/pdf/ssa-134279.pdf • CWE-284: Improper Access Control •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-24309
https://notcve.org/view.php?id=CVE-2022-24309
08 Mar 2022 — A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.29), Mendix Applications using Mendix 8 (All versions < V8.18.16), Mendix Applications using Mendix 9 (All versions < V9.13 only with Runtime Custom Setting *DataStorage.UseNewQueryHandler* set to False). If an entity has an association readable by the user, then in some cases, Mendix Runtime may not apply checks for XPath constraints that parse said associations, within apps running on affected versions. A malic... • https://cert-portal.siemens.com/productcert/html/ssa-148641.html • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2021-42026
https://notcve.org/view.php?id=CVE-2021-42026
09 Nov 2021 — A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control read access for certain client actions. This could allow authenticated attackers to retrieve the changedDate attribute of arbitrary objects, even when they don't have read access to them. Se ha identificado una vulnerabilidad en las aplicaciones de Mendix que usan... • https://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf • CWE-863: Incorrect Authorization •