CVE-2023-23835

EUVD-2023-27921

14.02.2023, 11:15

A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.34), Mendix Applications using Mendix 8 (All versions < V8.18.23), Mendix Applications using Mendix 9 (All versions < V9.22.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.10), Mendix Applications using Mendix 9 (V9.18) (All versions < V9.18.4), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.15). Some of the Mendix runtime API’s allow attackers to bypass XPath constraints and retrieve information using XPath queries that trigger errors.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
siemens	CNA	5.9 MEDIUM				CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C

Base Score

CVSS 3.x

EPSS Score

Percentile: 49%

Affected Products (NVD)

Vendor	Product	Version
mendix	mendix	7.0.2 ≤ 𝑥 < 7.23.34
mendix	mendix	8.0.0 ≤ 𝑥 < 8.18.23
mendix	mendix	9.0.0 ≤ 𝑥 < 9.6.15
mendix	mendix	9.7.0 ≤ 𝑥 < 9.12.10
mendix	mendix	9.18.0 ≤ 𝑥 < 9.18.4
mendix	mendix	9.19.0 ≤ 𝑥 < 9.22.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-284 - Improper Access Control
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://cert-portal.siemens.com/productcert/pdf/ssa-252808.pdf