CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-42025
https://notcve.org/view.php?id=CVE-2021-42025
09 Nov 2021 — A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control write access for certain client actions. This could allow authenticated attackers to manipulate the content of System.FileDocument objects in some cases, regardless whether they have write access to it. Se ha identificado una vulnerabilidad en las aplicaciones de ... • https://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf • CWE-863: Incorrect Authorization •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-42015
https://notcve.org/view.php?id=CVE-2021-42015
09 Nov 2021 — A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.26), Mendix Applications using Mendix 8 (All versions < V8.18.12), Mendix Applications using Mendix 9 (All versions < V9.6.1). Applications built with affected versions of Mendix Studio Pro do not prevent file documents from being cached when files are opened or downloaded using a browser. This could allow a local attacker to read those documents by exploring the browser cache. Se ha identificado una vulnerabilid... • https://cert-portal.siemens.com/productcert/pdf/ssa-338732.pdf • CWE-525: Use of Web Browser Cache Containing Sensitive Information •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-33712
https://notcve.org/view.php?id=CVE-2021-33712
08 Jun 2021 — A vulnerability has been identified in Mendix SAML Module (All versions < V2.1.2). The configuration of the SAML module does not properly check various restrictions and validations imposed by an identity provider. This could allow a remote authenticated attacker to escalate privileges. Se ha identificado una vulnerabilidad en el módulo SAML de Mendix (todas las versiones anteriores a V2.1.2). La configuración del módulo SAML no comprueba apropiadamente varias restricciones y validaciones impuestas por un pr... • https://cert-portal.siemens.com/productcert/pdf/ssa-522654.pdf • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-31339
https://notcve.org/view.php?id=CVE-2021-31339
12 May 2021 — A vulnerability has been identified in Mendix Excel Importer Module (All versions < V9.0.3). Uploading a manipulated XML File results in an exception that could expose information about the Application-Server and the used XML-Framework. Se ha identificado una vulnerabilidad en el módulo de importación de Mendix Excel (todas las versiones anteriores a V9.0.3). La carga de un Archivo XML manipulado da como resultado una excepción que podría exponer información sobre el Servidor de Aplicaciones y el Framework ... • https://cert-portal.siemens.com/productcert/pdf/ssa-854248.pdf • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-31341
https://notcve.org/view.php?id=CVE-2021-31341
12 May 2021 — Uploading a table mapping using a manipulated XML file results in an exception that could expose information about the application-server and the used XML-framework on the Mendix Database Replication Module (All versions prior to v7.0.1). La carga de una asignación de tablas mediante un archivo XML manipulado da lugar a una excepción que podría exponer información sobre el servidor de aplicaciones y el marco XML utilizado en el módulo de replicación de bases de datos de Mendix (todas las versiones anteriore... • https://cert-portal.siemens.com/productcert/pdf/ssa-919955.pdf • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2021-27394
https://notcve.org/view.php?id=CVE-2021-27394
16 Apr 2021 — A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.19), Mendix Applications using Mendix 8 (All versions < V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions < V8.12.5), Mendix Applications using Mendix 8 (V8.6) (All versions < V8.6.9), Mendix Applications using Mendix 9 (All versions < V9.0.5). Authenticated, non-administrative users could modify their privileges by manipulating the user role under certain circumstances, allowing them to gain adm... • https://cert-portal.siemens.com/productcert/pdf/ssa-875726.pdf • CWE-269: Improper Privilege Management •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-25672
https://notcve.org/view.php?id=CVE-2021-25672
15 Mar 2021 — A vulnerability has been identified in Mendix Forgot Password Appstore module (All Versions < V3.2.1). The Forgot Password Marketplace module does not properly control access. An attacker could take over accounts. Se ha identificado una vulnerabilidad en el módulo Mendix Forgot Password Appstore (Todas las versiones anteriores a V3.2.1). El módulo de Marketplace Forgot Password no controla el acceso apropiadamente. • https://cert-portal.siemens.com/productcert/pdf/ssa-917115.pdf • CWE-284: Improper Access Control •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8160
https://notcve.org/view.php?id=CVE-2020-8160
06 Jan 2021 — MendixSSO <= 2.1.1 contains endpoints that make use of the openid handler, which is suffering from a Cross-Site Scripting vulnerability via the URL path. This is caused by the reflection of user-supplied data without appropriate HTML escaping or output encoding. As a result, a JavaScript payload may be injected into the above endpoint causing it to be executed within the context of the victim's browser. MendixSSO versiones anteriores a 2.1.1 incluyéndola, contiene endpoints que hacen uso del manejador openi... • https://hackerone.com/reports/838178 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2019-12996
https://notcve.org/view.php?id=CVE-2019-12996
10 Sep 2019 — In Mendix 7.23.5 and earlier, issue in XML import mappings allow DOCTYPE declarations in the XML input that is potentially unsafe. En Mendix versiones 7.23.5 y anteriores, el módulo importador de Excel es vulnerable a un ataque de tipo SSRF, lo que permite a atacantes diseñar peticiones desde servidores de Mendix hacia cualquier destino en Internet o una red interna de Mendix, llevar a cabo escaneos de puertos y revelar listas de archivos ubicados en servidores de Mendix. • https://docs.mendix.com/releasenotes/studio-pro/7.23#7236 • CWE-918: Server-Side Request Forgery (SSRF) •