CVE-2022-31257

Published: Jul 12, 2022Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.31), Mendix Applications using Mendix 8 (All versions < V8.18.18), Mendix Applications using Mendix 9 (All versions < V9.14.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.2), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.12). In case of access to an active user session in an application that is built with an affected version, it’s possible to change that user’s password bypassing password validations within a Mendix application. This could allow to set weak passwords.

Affected (5)

Products: Mendix: Mendix

Mendix

1 product

Mendix

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Mendix Mendix	From 7.0.0 to 7.32.31
Mendix Mendix	From 8.0.0 to 8.18.18
Mendix Mendix	From 9.12.0 to 9.12.2
Mendix Mendix	From 9.13.0 to 9.14.0
Mendix Mendix	From 9.6.0 to 9.6.12

Related CWEs

CWE-284

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References (2)

https://cert-portal.siemens.com/productcert/pdf/ssa-433782.pdf

Source: productcert@siemens.com

PatchVendor Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-433782.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

Timeline

No history available yet.