CVE-2023-23835

14.02.2023, 11:15

A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.34), Mendix Applications using Mendix 8 (All versions < V8.18.23), Mendix Applications using Mendix 9 (All versions < V9.22.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.10), Mendix Applications using Mendix 9 (V9.18) (All versions < V9.18.4), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.15). Some of the Mendix runtime APIs allow attackers to bypass XPath constraints and retrieve information using XPath queries that trigger errors.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
siemens	CNA	5.9 MEDIUM				CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 3%

Vendor	Product	Version
mendix	mendix	7.0.2 ≤ 𝑥 < 7.23.34
mendix	mendix	8.0.0 ≤ 𝑥 < 8.18.23
mendix	mendix	9.0.0 ≤ 𝑥 < 9.6.15
mendix	mendix	9.7.0 ≤ 𝑥 < 9.12.10
mendix	mendix	9.18.0 ≤ 𝑥 < 9.18.4
mendix	mendix	9.19.0 ≤ 𝑥 < 9.22.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-284 - Improper Access Control
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://cert-portal.siemens.com/productcert/pdf/ssa-252808.pdf