CVE-2023-43623

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

A vulnerability has been identified in Mendix Forgot Password (Mendix 10 compatible) (All versions < V5.4.0), Mendix Forgot Password (Mendix 7 compatible) (All versions < V3.7.3), Mendix Forgot Password (Mendix 8 compatible) (All versions < V4.1.3), Mendix Forgot Password (Mendix 9 compatible) (All versions < V5.4.0). Applications using the affected module are vulnerable to user enumeration due to distinguishable responses. This could allow an unauthenticated remote attacker to determine if a user is valid or not, enabling a brute force attack with valid users.

Se ha identificado una vulnerabilidad en:
Mendix Forgot Password (compatible con Mendix 10) (todas las versiones < V5.4.0),
Mendix Forgot Password (compatible con Mendix 7) (todas las versiones < V3.7.3),
Mendix Forgot Password (compatible con Mendix 8) (Todas versiones < V4.1.3),
Mendix Forgot Password (compatible con Mendix 9) (Todas las versiones < V5.4.0).
Las aplicaciones que utilizan el módulo afectado son vulnerables a la enumeración de usuarios debido a respuestas distinguibles. Esto podría permitir que un atacante remoto no autenticado determine si un usuario es válido o no, permitiendo un ataque de fuerza bruta con usuarios válidos.

*Credits: N/A

CVSS Scores

Siemens AGv3.1 5.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-09-20 CVE Reserved
2023-10-10 CVE Published
2024-09-18 CVE Updated
2024-10-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-203: Observable Discrepancy

CAPEC

References (1)

URL	Tag	Source
https://cert-portal.siemens.com/productcert/pdf/ssa-295483.pdf	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mendix Search vendor "Mendix"		Forgot Password Search vendor "Mendix" for product "Forgot Password"				< 3.7.3 Search vendor "Mendix" for product "Forgot Password" and version " < 3.7.3"		-		Affected
Mendix Search vendor "Mendix"		Forgot Password Search vendor "Mendix" for product "Forgot Password"				>= 4.0.0 < 4.1.3 Search vendor "Mendix" for product "Forgot Password" and version " >= 4.0.0 < 4.1.3"		-		Affected
Mendix Search vendor "Mendix"		Forgot Password Search vendor "Mendix" for product "Forgot Password"				>= 5.0.0 < 5.4.0 Search vendor "Mendix" for product "Forgot Password" and version " >= 5.0.0 < 5.4.0"		-		Affected