All the vulnerabilites related to Siemens - Mendix Applications using Mendix 8
cve-2022-27241
Vulnerability from cvelistv5
Published
2022-04-12 09:08
Modified
2024-08-03 05:25
Severity ?
EPSS score ?
Summary
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.31), Mendix Applications using Mendix 8 (All versions < V8.18.18), Mendix Applications using Mendix 9 (All versions < V9.11), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.12). Applications built with an affected system publicly expose the internal project structure. This could allow an unauthenticated remote attacker to read confidential information.
References
▼ | URL | Tags |
---|---|---|
https://cert-portal.siemens.com/productcert/pdf/ssa-414513.pdf | x_refsource_MISC |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T05:25:32.284Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-414513.pdf" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Mendix Applications using Mendix 7", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V7.23.31" } ] }, { "product": "Mendix Applications using Mendix 8", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V8.18.18" } ] }, { "product": "Mendix Applications using Mendix 9", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V9.11" } ] }, { "product": "Mendix Applications using Mendix 9 (V9.6)", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V9.6.12" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions \u003c V7.23.31), Mendix Applications using Mendix 8 (All versions \u003c V8.18.18), Mendix Applications using Mendix 9 (All versions \u003c V9.11), Mendix Applications using Mendix 9 (V9.6) (All versions \u003c V9.6.12). Applications built with an affected system publicly expose the internal project structure. This could allow an unauthenticated remote attacker to read confidential information." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-07-12T10:06:37", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-414513.pdf" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "productcert@siemens.com", "ID": "CVE-2022-27241", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Mendix Applications using Mendix 7", "version": { "version_data": [ { "version_value": "All versions \u003c V7.23.31" } ] } }, { "product_name": "Mendix Applications using Mendix 8", "version": { "version_data": [ { "version_value": "All versions \u003c V8.18.18" } ] } }, { "product_name": "Mendix Applications using Mendix 9", "version": { "version_data": [ { "version_value": "All versions \u003c V9.11" } ] } }, { "product_name": "Mendix Applications using Mendix 9 (V9.6)", "version": { "version_data": [ { "version_value": "All versions \u003c V9.6.12" } ] } } ] }, "vendor_name": "Siemens" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions \u003c V7.23.31), Mendix Applications using Mendix 8 (All versions \u003c V8.18.18), Mendix Applications using Mendix 9 (All versions \u003c V9.11), Mendix Applications using Mendix 9 (V9.6) (All versions \u003c V9.6.12). Applications built with an affected system publicly expose the internal project structure. This could allow an unauthenticated remote attacker to read confidential information." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor" } ] } ] }, "references": { "reference_data": [ { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-414513.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-414513.pdf" } ] } } } }, "cveMetadata": { "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2022-27241", "datePublished": "2022-04-12T09:08:00", "dateReserved": "2022-03-18T00:00:00", "dateUpdated": "2024-08-03T05:25:32.284Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-25650
Vulnerability from cvelistv5
Published
2022-04-12 09:07
Modified
2024-08-03 04:42
Severity ?
EPSS score ?
Summary
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.27), Mendix Applications using Mendix 8 (All versions < V8.18.14), Mendix Applications using Mendix 9 (All versions < V9.12.0), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.3). When querying the database, it is possible to sort the results using a protected field. With this an authenticated attacker could extract information about the contents of a protected field.
References
▼ | URL | Tags |
---|---|---|
https://cert-portal.siemens.com/productcert/pdf/ssa-870917.pdf | x_refsource_MISC |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:42:50.611Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-870917.pdf" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Mendix Applications using Mendix 7", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V7.23.27" } ] }, { "product": "Mendix Applications using Mendix 8", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V8.18.14" } ] }, { "product": "Mendix Applications using Mendix 9", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V9.12.0" } ] }, { "product": "Mendix Applications using Mendix 9 (V9.6)", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V9.6.3" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions \u003c V7.23.27), Mendix Applications using Mendix 8 (All versions \u003c V8.18.14), Mendix Applications using Mendix 9 (All versions \u003c V9.12.0), Mendix Applications using Mendix 9 (V9.6) (All versions \u003c V9.6.3). When querying the database, it is possible to sort the results using a protected field. With this an authenticated attacker could extract information about the contents of a protected field." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-04-12T09:07:42", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-870917.pdf" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "productcert@siemens.com", "ID": "CVE-2022-25650", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Mendix Applications using Mendix 7", "version": { "version_data": [ { "version_value": "All versions \u003c V7.23.27" } ] } }, { "product_name": "Mendix Applications using Mendix 8", "version": { "version_data": [ { "version_value": "All versions \u003c V8.18.14" } ] } }, { "product_name": "Mendix Applications using Mendix 9", "version": { "version_data": [ { "version_value": "All versions \u003c V9.12.0" } ] } }, { "product_name": "Mendix Applications using Mendix 9 (V9.6)", "version": { "version_data": [ { "version_value": "All versions \u003c V9.6.3" } ] } } ] }, "vendor_name": "Siemens" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions \u003c V7.23.27), Mendix Applications using Mendix 8 (All versions \u003c V8.18.14), Mendix Applications using Mendix 9 (All versions \u003c V9.12.0), Mendix Applications using Mendix 9 (V9.6) (All versions \u003c V9.6.3). When querying the database, it is possible to sort the results using a protected field. With this an authenticated attacker could extract information about the contents of a protected field." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-284: Improper Access Control" } ] } ] }, "references": { "reference_data": [ { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-870917.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-870917.pdf" } ] } } } }, "cveMetadata": { "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2022-25650", "datePublished": "2022-04-12T09:07:42", "dateReserved": "2022-02-22T00:00:00", "dateUpdated": "2024-08-03T04:42:50.611Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-33718
Vulnerability from cvelistv5
Published
2021-07-13 11:03
Modified
2024-08-03 23:58
Severity ?
EPSS score ?
Summary
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.22), Mendix Applications using Mendix 8 (All versions < V8.18.7), Mendix Applications using Mendix 9 (All versions < V9.3.0). Write access checks of attributes of an object could be bypassed, if user has a write permissions to the first attribute of this object.
References
▼ | URL | Tags |
---|---|---|
https://cert-portal.siemens.com/productcert/pdf/ssa-352521.pdf | x_refsource_MISC |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T23:58:22.807Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-352521.pdf" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Mendix Applications using Mendix 7", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V7.23.22" } ] }, { "product": "Mendix Applications using Mendix 8", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V8.18.7" } ] }, { "product": "Mendix Applications using Mendix 9", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V9.3.0" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions \u003c V7.23.22), Mendix Applications using Mendix 8 (All versions \u003c V8.18.7), Mendix Applications using Mendix 9 (All versions \u003c V9.3.0). Write access checks of attributes of an object could be bypassed, if user has a write permissions to the first attribute of this object." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-07-13T11:03:06", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-352521.pdf" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "productcert@siemens.com", "ID": "CVE-2021-33718", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Mendix Applications using Mendix 7", "version": { "version_data": [ { "version_value": "All versions \u003c V7.23.22" } ] } }, { "product_name": "Mendix Applications using Mendix 8", "version": { "version_data": [ { "version_value": "All versions \u003c V8.18.7" } ] } }, { "product_name": "Mendix Applications using Mendix 9", "version": { "version_data": [ { "version_value": "All versions \u003c V9.3.0" } ] } } ] }, "vendor_name": "Siemens" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions \u003c V7.23.22), Mendix Applications using Mendix 8 (All versions \u003c V8.18.7), Mendix Applications using Mendix 9 (All versions \u003c V9.3.0). Write access checks of attributes of an object could be bypassed, if user has a write permissions to the first attribute of this object." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-863: Incorrect Authorization" } ] } ] }, "references": { "reference_data": [ { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-352521.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-352521.pdf" } ] } } } }, "cveMetadata": { "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2021-33718", "datePublished": "2021-07-13T11:03:06", "dateReserved": "2021-05-28T00:00:00", "dateUpdated": "2024-08-03T23:58:22.807Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-42025
Vulnerability from cvelistv5
Published
2021-11-09 11:32
Modified
2024-08-04 03:22
Severity ?
EPSS score ?
Summary
A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control write access for certain client actions. This could allow authenticated attackers to manipulate the content of System.FileDocument objects in some cases, regardless whether they have write access to it.
References
▼ | URL | Tags |
---|---|---|
https://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf | x_refsource_MISC |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T03:22:25.924Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Mendix Applications using Mendix 8", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V8.18.13" } ] }, { "product": "Mendix Applications using Mendix 9", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V9.6.2" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions \u003c V8.18.13), Mendix Applications using Mendix 9 (All versions \u003c V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control write access for certain client actions. This could allow authenticated attackers to manipulate the content of System.FileDocument objects in some cases, regardless whether they have write access to it." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-11-09T11:32:16", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "productcert@siemens.com", "ID": "CVE-2021-42025", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Mendix Applications using Mendix 8", "version": { "version_data": [ { "version_value": "All versions \u003c V8.18.13" } ] } }, { "product_name": "Mendix Applications using Mendix 9", "version": { "version_data": [ { "version_value": "All versions \u003c V9.6.2" } ] } } ] }, "vendor_name": "Siemens" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions \u003c V8.18.13), Mendix Applications using Mendix 9 (All versions \u003c V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control write access for certain client actions. This could allow authenticated attackers to manipulate the content of System.FileDocument objects in some cases, regardless whether they have write access to it." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-863: Incorrect Authorization" } ] } ] }, "references": { "reference_data": [ { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf" } ] } } } }, "cveMetadata": { "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2021-42025", "datePublished": "2021-11-09T11:32:16", "dateReserved": "2021-10-06T00:00:00", "dateUpdated": "2024-08-04T03:22:25.924Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-23835
Vulnerability from cvelistv5
Published
2023-02-14 10:36
Modified
2024-08-02 10:42
Severity ?
EPSS score ?
Summary
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.34), Mendix Applications using Mendix 8 (All versions < V8.18.23), Mendix Applications using Mendix 9 (All versions < V9.22.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.10), Mendix Applications using Mendix 9 (V9.18) (All versions < V9.18.4), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.15). Some of the Mendix runtime API’s allow attackers to bypass XPath constraints and retrieve information using XPath queries that trigger errors.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T10:42:27.044Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-252808.pdf" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Mendix Applications using Mendix 7", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V7.23.34" } ] }, { "defaultStatus": "unknown", "product": "Mendix Applications using Mendix 8", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V8.18.23" } ] }, { "defaultStatus": "unknown", "product": "Mendix Applications using Mendix 9", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V9.22.0" } ] }, { "defaultStatus": "unknown", "product": "Mendix Applications using Mendix 9 (V9.12)", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V9.12.10" } ] }, { "defaultStatus": "unknown", "product": "Mendix Applications using Mendix 9 (V9.18)", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V9.18.4" } ] }, { "defaultStatus": "unknown", "product": "Mendix Applications using Mendix 9 (V9.6)", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V9.6.15" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions \u003c V7.23.34), Mendix Applications using Mendix 8 (All versions \u003c V8.18.23), Mendix Applications using Mendix 9 (All versions \u003c V9.22.0), Mendix Applications using Mendix 9 (V9.12) (All versions \u003c V9.12.10), Mendix Applications using Mendix 9 (V9.18) (All versions \u003c V9.18.4), Mendix Applications using Mendix 9 (V9.6) (All versions \u003c V9.6.15). Some of the Mendix runtime API\u2019s allow attackers to bypass XPath constraints and retrieve information using XPath queries that trigger errors." } ], "metrics": [ { "cvssV3_1": { "baseScore": 5.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-02-15T09:24:58.910Z", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens" }, "references": [ { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-252808.pdf" } ] } }, "cveMetadata": { "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2023-23835", "datePublished": "2023-02-14T10:36:23.615Z", "dateReserved": "2023-01-18T10:28:31.589Z", "dateUpdated": "2024-08-02T10:42:27.044Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-42015
Vulnerability from cvelistv5
Published
2021-11-09 11:32
Modified
2024-08-04 03:22
Severity ?
EPSS score ?
Summary
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.26), Mendix Applications using Mendix 8 (All versions < V8.18.12), Mendix Applications using Mendix 9 (All versions < V9.6.1). Applications built with affected versions of Mendix Studio Pro do not prevent file documents from being cached when files are opened or downloaded using a browser. This could allow a local attacker to read those documents by exploring the browser cache.
References
▼ | URL | Tags |
---|---|---|
https://cert-portal.siemens.com/productcert/pdf/ssa-338732.pdf | x_refsource_MISC |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T03:22:25.646Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-338732.pdf" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Mendix Applications using Mendix 7", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V7.23.26" } ] }, { "product": "Mendix Applications using Mendix 8", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V8.18.12" } ] }, { "product": "Mendix Applications using Mendix 9", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V9.6.1" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions \u003c V7.23.26), Mendix Applications using Mendix 8 (All versions \u003c V8.18.12), Mendix Applications using Mendix 9 (All versions \u003c V9.6.1). Applications built with affected versions of Mendix Studio Pro do not prevent file documents from being cached when files are opened or downloaded using a browser. This could allow a local attacker to read those documents by exploring the browser cache." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-525", "description": "CWE-525: Use of Web Browser Cache Containing Sensitive Information", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-11-09T11:32:14", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-338732.pdf" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "productcert@siemens.com", "ID": "CVE-2021-42015", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Mendix Applications using Mendix 7", "version": { "version_data": [ { "version_value": "All versions \u003c V7.23.26" } ] } }, { "product_name": "Mendix Applications using Mendix 8", "version": { "version_data": [ { "version_value": "All versions \u003c V8.18.12" } ] } }, { "product_name": "Mendix Applications using Mendix 9", "version": { "version_data": [ { "version_value": "All versions \u003c V9.6.1" } ] } } ] }, "vendor_name": "Siemens" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions \u003c V7.23.26), Mendix Applications using Mendix 8 (All versions \u003c V8.18.12), Mendix Applications using Mendix 9 (All versions \u003c V9.6.1). Applications built with affected versions of Mendix Studio Pro do not prevent file documents from being cached when files are opened or downloaded using a browser. This could allow a local attacker to read those documents by exploring the browser cache." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-525: Use of Web Browser Cache Containing Sensitive Information" } ] } ] }, "references": { "reference_data": [ { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-338732.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-338732.pdf" } ] } } } }, "cveMetadata": { "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2021-42015", "datePublished": "2021-11-09T11:32:14", "dateReserved": "2021-10-06T00:00:00", "dateUpdated": "2024-08-04T03:22:25.646Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-31257
Vulnerability from cvelistv5
Published
2022-07-12 10:06
Modified
2024-08-03 07:11
Severity ?
EPSS score ?
Summary
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.31), Mendix Applications using Mendix 8 (All versions < V8.18.18), Mendix Applications using Mendix 9 (All versions < V9.14.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.2), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.12). In case of access to an active user session in an application that is built with an affected version, it’s possible to change that user’s password bypassing password validations within a Mendix application. This could allow to set weak passwords.
References
▼ | URL | Tags |
---|---|---|
https://cert-portal.siemens.com/productcert/pdf/ssa-433782.pdf | x_refsource_MISC |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T07:11:39.898Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-433782.pdf" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Mendix Applications using Mendix 7", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V7.23.31" } ] }, { "product": "Mendix Applications using Mendix 8", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V8.18.18" } ] }, { "product": "Mendix Applications using Mendix 9", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V9.14.0" } ] }, { "product": "Mendix Applications using Mendix 9 (V9.12)", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V9.12.2" } ] }, { "product": "Mendix Applications using Mendix 9 (V9.6)", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V9.6.12" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions \u003c V7.23.31), Mendix Applications using Mendix 8 (All versions \u003c V8.18.18), Mendix Applications using Mendix 9 (All versions \u003c V9.14.0), Mendix Applications using Mendix 9 (V9.12) (All versions \u003c V9.12.2), Mendix Applications using Mendix 9 (V9.6) (All versions \u003c V9.6.12). In case of access to an active user session in an application that is built with an affected version, it\u2019s possible to change that user\u2019s password bypassing password validations within a Mendix application. This could allow to set weak passwords." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2022-07-12T10:06:42", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-433782.pdf" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "productcert@siemens.com", "ID": "CVE-2022-31257", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Mendix Applications using Mendix 7", "version": { "version_data": [ { "version_value": "All versions \u003c V7.23.31" } ] } }, { "product_name": "Mendix Applications using Mendix 8", "version": { "version_data": [ { "version_value": "All versions \u003c V8.18.18" } ] } }, { "product_name": "Mendix Applications using Mendix 9", "version": { "version_data": [ { "version_value": "All versions \u003c V9.14.0" } ] } }, { "product_name": "Mendix Applications using Mendix 9 (V9.12)", "version": { "version_data": [ { "version_value": "All versions \u003c V9.12.2" } ] } }, { "product_name": "Mendix Applications using Mendix 9 (V9.6)", "version": { "version_data": [ { "version_value": "All versions \u003c V9.6.12" } ] } } ] }, "vendor_name": "Siemens" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions \u003c V7.23.31), Mendix Applications using Mendix 8 (All versions \u003c V8.18.18), Mendix Applications using Mendix 9 (All versions \u003c V9.14.0), Mendix Applications using Mendix 9 (V9.12) (All versions \u003c V9.12.2), Mendix Applications using Mendix 9 (V9.6) (All versions \u003c V9.6.12). In case of access to an active user session in an application that is built with an affected version, it\u2019s possible to change that user\u2019s password bypassing password validations within a Mendix application. This could allow to set weak passwords." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-284: Improper Access Control" } ] } ] }, "references": { "reference_data": [ { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-433782.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-433782.pdf" } ] } } } }, "cveMetadata": { "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2022-31257", "datePublished": "2022-07-12T10:06:43", "dateReserved": "2022-05-20T00:00:00", "dateUpdated": "2024-08-03T07:11:39.898Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-27394
Vulnerability from cvelistv5
Published
2021-04-16 20:00
Modified
2024-08-03 20:48
Severity ?
EPSS score ?
Summary
A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.19), Mendix Applications using Mendix 8 (All versions < V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions < V8.12.5), Mendix Applications using Mendix 8 (V8.6) (All versions < V8.6.9), Mendix Applications using Mendix 9 (All versions < V9.0.5). Authenticated, non-administrative users could modify their privileges by manipulating the user role under certain circumstances, allowing them to gain administrative privileges.
References
▼ | URL | Tags |
---|---|---|
https://cert-portal.siemens.com/productcert/pdf/ssa-875726.pdf | x_refsource_MISC |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T20:48:16.703Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-875726.pdf" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Mendix Applications using Mendix 7", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V7.23.19" } ] }, { "product": "Mendix Applications using Mendix 8", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V8.17.0" } ] }, { "product": "Mendix Applications using Mendix 8 (V8.12)", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V8.12.5" } ] }, { "product": "Mendix Applications using Mendix 8 (V8.6)", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V8.6.9" } ] }, { "product": "Mendix Applications using Mendix 9", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V9.0.5" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions \u003c V7.23.19), Mendix Applications using Mendix 8 (All versions \u003c V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions \u003c V8.12.5), Mendix Applications using Mendix 8 (V8.6) (All versions \u003c V8.6.9), Mendix Applications using Mendix 9 (All versions \u003c V9.0.5). Authenticated, non-administrative users could modify their privileges by manipulating the user role under certain circumstances, allowing them to gain administrative privileges." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-269", "description": "CWE-269: Improper Privilege Management", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-04-16T20:00:14", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-875726.pdf" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "productcert@siemens.com", "ID": "CVE-2021-27394", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Mendix Applications using Mendix 7", "version": { "version_data": [ { "version_value": "All versions \u003c V7.23.19" } ] } }, { "product_name": "Mendix Applications using Mendix 8", "version": { "version_data": [ { "version_value": "All versions \u003c V8.17.0" } ] } }, { "product_name": "Mendix Applications using Mendix 8 (V8.12)", "version": { "version_data": [ { "version_value": "All versions \u003c V8.12.5" } ] } }, { "product_name": "Mendix Applications using Mendix 8 (V8.6)", "version": { "version_data": [ { "version_value": "All versions \u003c V8.6.9" } ] } }, { "product_name": "Mendix Applications using Mendix 9", "version": { "version_data": [ { "version_value": "All versions \u003c V9.0.5" } ] } } ] }, "vendor_name": "Siemens" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions \u003c V7.23.19), Mendix Applications using Mendix 8 (All versions \u003c V8.17.0), Mendix Applications using Mendix 8 (V8.12) (All versions \u003c V8.12.5), Mendix Applications using Mendix 8 (V8.6) (All versions \u003c V8.6.9), Mendix Applications using Mendix 9 (All versions \u003c V9.0.5). Authenticated, non-administrative users could modify their privileges by manipulating the user role under certain circumstances, allowing them to gain administrative privileges." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-269: Improper Privilege Management" } ] } ] }, "references": { "reference_data": [ { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-875726.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-875726.pdf" } ] } } } }, "cveMetadata": { "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2021-27394", "datePublished": "2021-04-16T20:00:14", "dateReserved": "2021-02-18T00:00:00", "dateUpdated": "2024-08-03T20:48:16.703Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2021-42026
Vulnerability from cvelistv5
Published
2021-11-09 11:32
Modified
2024-08-04 03:22
Severity ?
EPSS score ?
Summary
A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions < V8.18.13), Mendix Applications using Mendix 9 (All versions < V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control read access for certain client actions. This could allow authenticated attackers to retrieve the changedDate attribute of arbitrary objects, even when they don't have read access to them.
References
▼ | URL | Tags |
---|---|---|
https://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf | x_refsource_MISC |
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T03:22:25.755Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Mendix Applications using Mendix 8", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V8.18.13" } ] }, { "product": "Mendix Applications using Mendix 9", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V9.6.2" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions \u003c V8.18.13), Mendix Applications using Mendix 9 (All versions \u003c V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control read access for certain client actions. This could allow authenticated attackers to retrieve the changedDate attribute of arbitrary objects, even when they don\u0027t have read access to them." } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-11-09T11:32:17", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf" } ], "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "productcert@siemens.com", "ID": "CVE-2021-42026", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "Mendix Applications using Mendix 8", "version": { "version_data": [ { "version_value": "All versions \u003c V8.18.13" } ] } }, { "product_name": "Mendix Applications using Mendix 9", "version": { "version_data": [ { "version_value": "All versions \u003c V9.6.2" } ] } } ] }, "vendor_name": "Siemens" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "A vulnerability has been identified in Mendix Applications using Mendix 8 (All versions \u003c V8.18.13), Mendix Applications using Mendix 9 (All versions \u003c V9.6.2). Applications built with affected versions of Mendix Studio Pro do not properly control read access for certain client actions. This could allow authenticated attackers to retrieve the changedDate attribute of arbitrary objects, even when they don\u0027t have read access to them." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-863: Incorrect Authorization" } ] } ] }, "references": { "reference_data": [ { "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf", "refsource": "MISC", "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-779699.pdf" } ] } } } }, "cveMetadata": { "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2021-42026", "datePublished": "2021-11-09T11:32:17", "dateReserved": "2021-10-06T00:00:00", "dateUpdated": "2024-08-04T03:22:25.755Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-45794
Vulnerability from cvelistv5
Published
2023-11-14 11:04
Modified
2024-08-02 20:29
Severity ?
EPSS score ?
Summary
A vulnerability has been identified in Mendix Applications using Mendix 10 (All versions < V10.4.0), Mendix Applications using Mendix 7 (All versions < V7.23.37), Mendix Applications using Mendix 8 (All versions < V8.18.27), Mendix Applications using Mendix 9 (All versions < V9.24.10). A capture-replay flaw in the platform could have an impact to apps built with the platform, if certain preconditions are met that depend on the app's model and access control design.
This could allow authenticated attackers to access or modify objects without proper authorization, or escalate privileges in the context of the vulnerable app.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T20:29:32.353Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-084182.pdf" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Mendix Applications using Mendix 10", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V10.4.0" } ] }, { "defaultStatus": "unknown", "product": "Mendix Applications using Mendix 7", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V7.23.37" } ] }, { "defaultStatus": "unknown", "product": "Mendix Applications using Mendix 8", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V8.18.27" } ] }, { "defaultStatus": "unknown", "product": "Mendix Applications using Mendix 9", "vendor": "Siemens", "versions": [ { "status": "affected", "version": "All versions \u003c V9.24.10" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability has been identified in Mendix Applications using Mendix 10 (All versions \u003c V10.4.0), Mendix Applications using Mendix 7 (All versions \u003c V7.23.37), Mendix Applications using Mendix 8 (All versions \u003c V8.18.27), Mendix Applications using Mendix 9 (All versions \u003c V9.24.10). A capture-replay flaw in the platform could have an impact to apps built with the platform, if certain preconditions are met that depend on the app\u0027s model and access control design.\r\n\r\nThis could allow authenticated attackers to access or modify objects without proper authorization, or escalate privileges in the context of the vulnerable app." } ], "metrics": [ { "cvssV3_1": { "baseScore": 6.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-294", "description": "CWE-294: Authentication Bypass by Capture-replay", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-11-14T11:04:16.602Z", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens" }, "references": [ { "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-084182.pdf" } ] } }, "cveMetadata": { "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2023-45794", "datePublished": "2023-11-14T11:04:16.602Z", "dateReserved": "2023-10-12T17:15:59.195Z", "dateUpdated": "2024-08-02T20:29:32.353Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2022-24309
Vulnerability from cvelistv5
Published
2022-03-08 11:31
Modified
2024-10-08 08:39
Severity ?
EPSS score ?
Summary
A vulnerability has been identified in Mendix Runtime V7 (All versions < V7.23.29), Mendix Runtime V8 (All versions < V8.18.16), Mendix Runtime V9 (All versions < V9.13 only with Runtime Custom Setting *DataStorage.UseNewQueryHandler* set to False). If an entity has an association readable by the user, then in some cases, Mendix Runtime may not apply checks for XPath constraints that parse said associations, within apps running on affected versions. A malicious user could use this to dump and manipulate sensitive data.
References
Impacted products
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T04:07:02.516Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-148641.pdf" }, { "tags": [ "x_transferred" ], "url": "https://cert-portal.siemens.com/productcert/html/ssa-148641.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unknown", "product": "Mendix Runtime V7", "vendor": "Siemens", "versions": [ { "lessThan": "V7.23.29", "status": "affected", "version": "0", "versionType": "custom" } ] }, { "defaultStatus": "unknown", "product": "Mendix Runtime V8", "vendor": "Siemens", "versions": [ { "lessThan": "V8.18.16", "status": "affected", "version": "0", "versionType": "custom" } ] }, { "defaultStatus": "unknown", "product": "Mendix Runtime V9", "vendor": "Siemens", "versions": [ { "lessThan": "V9.13", "status": "affected", "version": "0", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "A vulnerability has been identified in Mendix Runtime V7 (All versions \u003c V7.23.29), Mendix Runtime V8 (All versions \u003c V8.18.16), Mendix Runtime V9 (All versions \u003c V9.13 only with Runtime Custom Setting *DataStorage.UseNewQueryHandler* set to False). If an entity has an association readable by the user, then in some cases, Mendix Runtime may not apply checks for XPath constraints that parse said associations, within apps running on affected versions. A malicious user could use this to dump and manipulate sensitive data." } ], "metrics": [ { "cvssV3_1": { "baseScore": 6.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-284", "description": "CWE-284: Improper Access Control", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-10-08T08:39:51.939Z", "orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-148641.pdf" }, { "url": "https://cert-portal.siemens.com/productcert/html/ssa-148641.html" } ] } }, "cveMetadata": { "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "assignerShortName": "siemens", "cveId": "CVE-2022-24309", "datePublished": "2022-03-08T11:31:29", "dateReserved": "2022-02-02T00:00:00", "dateUpdated": "2024-10-08T08:39:51.939Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }