CVE-2022-46823
https://notcve.org/view.php?id=CVE-2022-46823
A vulnerability has been identified in Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.3.4), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.3.0 < V3.3.9), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.8). The affected module is vulnerable to reflected cross-site scripting (XSS) attacks. This could allow an attacker to extract sensitive information by tricking users into accessing a malicious link. • https://cert-portal.siemens.com/productcert/pdf/ssa-496604.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-44457
https://notcve.org/view.php?id=CVE-2022-44457
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions < V1.17.0), Mendix SAML (Mendix 7 compatible) (All versions >= V1.17.0 < V1.17.2), Mendix SAML (Mendix 8 compatible) (All versions < V2.3.0), Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.3.2), Mendix SAML (Mendix 9 compatible, New Track) (All versions < V3.3.1), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.3.1 < V3.3.5), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions < V3.3.0), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.4). Affected versions of the module insufficiently protect from packet capture replay, only when the not recommended, non default configuration option `'Allow Idp Initiated Authentication'` is enabled. This CVE entry describes the incomplete fix for CVE-2022-37011 in a specific non default configuration. Se ha identificado una vulnerabilidad en Mendix SAML (compatible con Mendix 7) (Todas las versiones < V1.17.0), Mendix SAML (compatible con Mendix 7) (Todas las versiones >= V1.17.0 < V1.17.2), Mendix SAML (Mendix 8 compatible) (Todas las versiones < V2.3.0), Mendix SAML (compatible con Mendix 8) (Todas las versiones > V2.3.0 < V2.3.2), Mendix SAML (compatible con Mendix 9, New Track) (Todas las versiones < V3.3.1), Mendix SAML (compatible con Mendix 9, New Track) (todas las versiones >= V3.3.1 < V3.3.5), Mendix SAML (compatible con Mendix 9, Upgrade Track) (todas las versiones < V3.3.0 ), Mendix SAML (compatible con Mendix 9, Upgrade Track) (Todas las versiones > V3.3.0 y < V3.3.4). Las versiones afectadas del módulo no protegen suficientemente contra la reproducción de captura de paquetes, solo cuando la opción de configuración no predeterminada y no recomendada ""Permitir Autenticación Iniciada por Idp"" está habilitada. Esta entrada de CVE describe la solución incompleta para CVE-2022-37011 en una configuración específica no predeterminada. • https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf • CWE-294: Authentication Bypass by Capture-replay •
CVE-2022-37011
https://notcve.org/view.php?id=CVE-2022-37011
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions < V1.17.0), Mendix SAML (Mendix 8 compatible) (All versions < V2.3.0), Mendix SAML (Mendix 9 compatible, New Track) (All versions < V3.3.1), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions < V3.3.0). Affected versions of the module insufficiently protect from packet capture replay. This could allow unauthorized remote attackers to bypass authentication and get access to the application. For compatibility reasons, fix versions still contain this issue, but only when the not recommended, non default configuration option `'Allow Idp Initiated Authentication'` is enabled. Se ha identificado una vulnerabilidad en el módulo SAML de Mendix (compatible con Mendix 7) (todas las versiones anteriores a V1.17.0), el módulo SAML de Mendix (compatible con Mendix 8) (todas las versiones anteriores a V2.3.0), el módulo SAML de Mendix (compatible con Mendix 9, New Track) (todas las versiones anteriores a V3.3.1), el módulo SAML de Mendix (compatible con Mendix 9, Upgrade Track) (todas las versiones anteriores a V3.3.0). • https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf • CWE-294: Authentication Bypass by Capture-replay •
CVE-2022-34467
https://notcve.org/view.php?id=CVE-2022-34467
A vulnerability has been identified in Mendix Excel Importer Module (Mendix 8 compatible) (All versions < V9.2.2), Mendix Excel Importer Module (Mendix 9 compatible) (All versions < V10.1.2). The affected component is vulnerable to XML Entity Expansion Injection. An attacker may use this to compromise the availability of the affected component. Se ha identificado una vulnerabilidad en el Módulo Importador de Excel de Mendix (compatible con Mendix 8) (Todas las versiones anteriores a V9.2.2), Módulo Importador de Excel de Mendix (compatible con Mendix 9) (Todas las versiones anteriores a V10.1.2). El componente afectado es vulnerable a una inyección de expansión de entidades XML. • https://cert-portal.siemens.com/productcert/pdf/ssa-610768.pdf • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •
CVE-2022-34466
https://notcve.org/view.php?id=CVE-2022-34466
A vulnerability has been identified in Mendix Applications using Mendix 9 (All versions >= V9.11 < V9.15), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.3). An expression injection vulnerability was discovered in the Workflow subsystem of Mendix Runtime, that can affect the running applications. The vulnerability could allow a malicious user to leak sensitive information in a certain configuration. Se ha identificado una vulnerabilidad en las aplicaciones Mendix usando Mendix 9 (Todas las versiones posteriores a V9.11 incluyéndola, anteriores a V9.15), Aplicaciones Mendix usando Mendix 9 (V9.12) (Todas las versiones anteriores a V9.12.3). Se ha detectado una vulnerabilidad de inyección de expresiones en el subsistema Workflow de Mendix Runtime, que puede afectar a las aplicaciones en ejecución. • https://cert-portal.siemens.com/productcert/pdf/ssa-492173.pdf • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •