CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-43623
https://notcve.org/view.php?id=CVE-2023-43623
A vulnerability has been identified in Mendix Forgot Password (Mendix 10 compatible) (All versions < V5.4.0), Mendix Forgot Password (Mendix 7 compatible) (All versions < V3.7.3), Mendix Forgot Password (Mendix 8 compatible) (All versions < V4.1.3), Mendix Forgot Password (Mendix 9 compatible) (All versions < V5.4.0). Applications using the affected module are vulnerable to user enumeration due to distinguishable responses. This could allow an unauthenticated remote attacker to determine if a user is valid or not, enabling a brute force attack with valid users. Se ha identificado una vulnerabilidad en: Mendix Forgot Password (compatible con Mendix 10) (todas las versiones < V5.4.0), Mendix Forgot Password (compatible con Mendix 7) (todas las versiones < V3.7.3), Mendix Forgot Password (compatible con Mendix 8) (Todas versiones < V4.1.3), Mendix Forgot Password (compatible con Mendix 9) (Todas las versiones < V5.4.0). Las aplicaciones que utilizan el módulo afectado son vulnerables a la enumeración de usuarios debido a respuestas distinguibles. Esto podría permitir que un atacante remoto no autenticado determine si un usuario es válido o no, permitiendo un ataque de fuerza bruta con usuarios válidos. • https://cert-portal.siemens.com/productcert/pdf/ssa-295483.pdf • CWE-203: Observable Discrepancy •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-29129
https://notcve.org/view.php?id=CVE-2023-29129
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions >= V1.17.3 < V1.18.0), Mendix SAML (Mendix 7 compatible) (All versions >= V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.4.0), Mendix SAML (Mendix 8 compatible) (All versions >= V2.2.0 < V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions >= V3.3.1 < V3.6.1), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions >= V3.1.9 < V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions >= V3.3.0 < V3.6.0), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions >= V3.1.8 < V3.3.0), Mendix SAML (Mendix 9.12/9.18 compatible, New Track) (All versions >= V3.3.1 < V3.3.15), Mendix SAML (Mendix 9.12/9.18 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.14), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions >= V3.1.9 < V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions >= V3.1.8 < V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application. This CVE entry describes the incomplete fix for CVE-2023-25957 in a specific non default configuration. • https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf • CWE-287: Improper Authentication CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 0CVE-2023-27464
https://notcve.org/view.php?id=CVE-2023-27464
A vulnerability has been identified in Mendix Forgot Password (Mendix 7 compatible) (All versions < V3.7.1), Mendix Forgot Password (Mendix 8 compatible) (All versions < V4.1.1), Mendix Forgot Password (Mendix 9 compatible) (All versions < V5.1.1). The affected versions of the module contain an observable response discrepancy issue that could allow an attacker to retrieve sensitive information. • https://cert-portal.siemens.com/productcert/pdf/ssa-699404.pdf • CWE-203: Observable Discrepancy CWE-204: Observable Response Discrepancy •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-25957
https://notcve.org/view.php?id=CVE-2023-25957
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions >= V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions >= V2.2.0 < V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions >= V3.1.9 < V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions >= V3.1.8 < V3.3.0), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions >= V3.1.9 < V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions >= V3.1.8 < V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application. For compatibility reasons, fix versions still contain this issue, but only when the recommended, default configuration option `'Use Encryption'` is disabled. • https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf • CWE-287: Improper Authentication CWE-303: Incorrect Implementation of Authentication Algorithm •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-23835
https://notcve.org/view.php?id=CVE-2023-23835
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.34), Mendix Applications using Mendix 8 (All versions < V8.18.23), Mendix Applications using Mendix 9 (All versions < V9.22.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.10), Mendix Applications using Mendix 9 (V9.18) (All versions < V9.18.4), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.15). Some of the Mendix runtime API’s allow attackers to bypass XPath constraints and retrieve information using XPath queries that trigger errors. • https://cert-portal.siemens.com/productcert/pdf/ssa-252808.pdf • CWE-284: Improper Access Control •