CVE-2023-45794
https://notcve.org/view.php?id=CVE-2023-45794
A vulnerability has been identified in Mendix Applications using Mendix 10 (All versions < V10.4.0), Mendix Applications using Mendix 7 (All versions < V7.23.37), Mendix Applications using Mendix 8 (All versions < V8.18.27), Mendix Applications using Mendix 9 (All versions < V9.24.10). A capture-replay flaw in the platform could have an impact to apps built with the platform, if certain preconditions are met that depend on the app's model and access control design. This could allow authenticated attackers to access or modify objects without proper authorization, or escalate privileges in the context of the vulnerable app. Se ha identificado una vulnerabilidad en aplicaciones Mendix que usan: Mendix 10 (todas las versiones < V10.4.0), Mendix 7 (todas las versiones < V7.23.37), Mendix 8 (todas las versiones < V8.18.27), Mendix 9 (todas las versiones • https://cert-portal.siemens.com/productcert/pdf/ssa-084182.pdf • CWE-294: Authentication Bypass by Capture-replay •
CVE-2023-23835
https://notcve.org/view.php?id=CVE-2023-23835
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.34), Mendix Applications using Mendix 8 (All versions < V8.18.23), Mendix Applications using Mendix 9 (All versions < V9.22.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.10), Mendix Applications using Mendix 9 (V9.18) (All versions < V9.18.4), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.15). Some of the Mendix runtime API’s allow attackers to bypass XPath constraints and retrieve information using XPath queries that trigger errors. • https://cert-portal.siemens.com/productcert/pdf/ssa-252808.pdf • CWE-284: Improper Access Control •
CVE-2022-34466
https://notcve.org/view.php?id=CVE-2022-34466
A vulnerability has been identified in Mendix Applications using Mendix 9 (All versions >= V9.11 < V9.15), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.3). An expression injection vulnerability was discovered in the Workflow subsystem of Mendix Runtime, that can affect the running applications. The vulnerability could allow a malicious user to leak sensitive information in a certain configuration. Se ha identificado una vulnerabilidad en las aplicaciones Mendix usando Mendix 9 (Todas las versiones posteriores a V9.11 incluyéndola, anteriores a V9.15), Aplicaciones Mendix usando Mendix 9 (V9.12) (Todas las versiones anteriores a V9.12.3). Se ha detectado una vulnerabilidad de inyección de expresiones en el subsistema Workflow de Mendix Runtime, que puede afectar a las aplicaciones en ejecución. • https://cert-portal.siemens.com/productcert/pdf/ssa-492173.pdf • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVE-2022-31257
https://notcve.org/view.php?id=CVE-2022-31257
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.31), Mendix Applications using Mendix 8 (All versions < V8.18.18), Mendix Applications using Mendix 9 (All versions < V9.14.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.2), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.12). In case of access to an active user session in an application that is built with an affected version, it’s possible to change that user’s password bypassing password validations within a Mendix application. This could allow to set weak passwords. Se ha identificado una vulnerabilidad en las aplicaciones de Mendix usando Mendix 7 (Todas las versiones anteriores a V7.23.31), las aplicaciones de Mendix usando Mendix 8 (Todas las versiones anteriores a V8.18.18), las aplicaciones de Mendix usando Mendix 9 (Todas las versiones anteriores a V9.14.0), las aplicaciones de Mendix usando Mendix 9 (versión V9.12) (Todas las versiones anteriores a V9.12.2), las aplicaciones de Mendix usando Mendix 9 (versión V9.6) (Todas las versiones anteriores a V9.6.12). En caso de acceder a una sesión de usuario activa en una aplicación construida con una versión afectada, es posible cambiar la contraseña de ese usuario omitiendo las comprobaciones de contraseña dentro de una aplicación Mendix. • https://cert-portal.siemens.com/productcert/pdf/ssa-433782.pdf • CWE-284: Improper Access Control •
CVE-2022-25650
https://notcve.org/view.php?id=CVE-2022-25650
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.27), Mendix Applications using Mendix 8 (All versions < V8.18.14), Mendix Applications using Mendix 9 (All versions < V9.12.0), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.3). When querying the database, it is possible to sort the results using a protected field. With this an authenticated attacker could extract information about the contents of a protected field. Se ha identificado una vulnerabilidad en las aplicaciones de Mendix usando Mendix 7 (todas las versiones anteriores a V7.23.27), las aplicaciones de Mendix usando Mendix 8 (todas las versiones anteriores a V8.18.14), las aplicaciones de Mendix usando Mendix 9 (todas las versiones anteriores a V9.12.0), las aplicaciones de Mendix usando Mendix 9 (V9.6) (todas las versiones anteriores a V9.6.3). Cuando es consultada la base de datos, es posible ordenar los resultados usando un campo protegido. • https://cert-portal.siemens.com/productcert/pdf/ssa-870917.pdf • CWE-284: Improper Access Control •