Search criteria
24 vulnerabilities found for saml by mendix
FKIE_CVE-2023-29129
Vulnerability from fkie_nvd - Published: 2023-06-13 09:15 - Updated: 2024-11-21 07:56
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions >= V1.17.3 < V1.18.0), Mendix SAML (Mendix 7 compatible) (All versions >= V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.4.0), Mendix SAML (Mendix 8 compatible) (All versions >= V2.2.0 < V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions >= V3.3.1 < V3.6.1), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions >= V3.1.9 < V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions >= V3.3.0 < V3.6.0), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions >= V3.1.8 < V3.3.0), Mendix SAML (Mendix 9.12/9.18 compatible, New Track) (All versions >= V3.3.1 < V3.3.15), Mendix SAML (Mendix 9.12/9.18 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.14), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions >= V3.1.9 < V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions >= V3.1.8 < V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.
This CVE entry describes the incomplete fix for CVE-2023-25957 in a specific non default configuration.
References
| URL | Tags | ||
|---|---|---|---|
| productcert@siemens.com | https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ACDDF077-AA8C-4C06-9CE4-9816A2C0D0D2",
"versionEndExcluding": "1.18.0",
"versionStartIncluding": "1.16.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C51EC049-8523-42C1-84FB-AAD63944C06D",
"versionEndExcluding": "2.4.0",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AB89301A-0D96-4941-B2EE-994BAED23B2A",
"versionEndExcluding": "3.6.1",
"versionStartIncluding": "3.1.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions \u003e= V1.17.3 \u003c V1.18.0), Mendix SAML (Mendix 7 compatible) (All versions \u003e= V1.16.4 \u003c V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.3.0 \u003c V2.4.0), Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.2.0 \u003c V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions \u003e= V3.3.1 \u003c V3.6.1), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions \u003e= V3.1.9 \u003c V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions \u003e= V3.3.0 \u003c V3.6.0), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions \u003e= V3.1.8 \u003c V3.3.0), Mendix SAML (Mendix 9.12/9.18 compatible, New Track) (All versions \u003e= V3.3.1 \u003c V3.3.15), Mendix SAML (Mendix 9.12/9.18 compatible, Upgrade Track) (All versions \u003e= V3.3.0 \u003c V3.3.14), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions \u003e= V3.1.9 \u003c V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions \u003e= V3.1.8 \u003c V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.\r\n\r\nThis CVE entry describes the incomplete fix for CVE-2023-25957 in a specific non default configuration."
}
],
"id": "CVE-2023-29129",
"lastModified": "2024-11-21T07:56:35.677",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "productcert@siemens.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-13T09:15:16.767",
"references": [
{
"source": "productcert@siemens.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf"
}
],
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-303"
}
],
"source": "productcert@siemens.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2023-25957
Vulnerability from fkie_nvd - Published: 2023-03-14 10:15 - Updated: 2024-11-21 07:50
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions >= V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions >= V2.2.0 < V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions >= V3.1.9 < V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions >= V3.1.8 < V3.3.0), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions >= V3.1.9 < V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions >= V3.1.8 < V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.
For compatibility reasons, fix versions still contain this issue, but only when the recommended, default configuration option `'Use Encryption'` is disabled.
References
| URL | Tags | ||
|---|---|---|---|
| productcert@siemens.com | https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:mendix:*:*",
"matchCriteriaId": "E78110E3-955F-480D-B613-1DCFA65C4314",
"versionEndExcluding": "1.17.2",
"versionStartIncluding": "1.16.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:mendix:*:*",
"matchCriteriaId": "F19D5A0C-D480-4F6E-B965-E0137F72F6B0",
"versionEndExcluding": "2.2.3",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:mendix:*:*",
"matchCriteriaId": "D99EF1F1-27A1-4032-ACD9-DBBBD3A9733A",
"versionEndExcluding": "3.2.5",
"versionStartIncluding": "3.1.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions \u003e= V1.16.4 \u003c V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.2.0 \u003c V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions \u003e= V3.1.9 \u003c V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions \u003e= V3.1.8 \u003c V3.3.0), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions \u003e= V3.1.9 \u003c V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions \u003e= V3.1.8 \u003c V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.\r\n\r\nFor compatibility reasons, fix versions still contain this issue, but only when the recommended, default configuration option `\u0027Use Encryption\u0027` is disabled."
}
],
"id": "CVE-2023-25957",
"lastModified": "2024-11-21T07:50:31.157",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "productcert@siemens.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-03-14T10:15:28.577",
"references": [
{
"source": "productcert@siemens.com",
"tags": [
"Third Party Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf"
}
],
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-303"
}
],
"source": "productcert@siemens.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-46823
Vulnerability from fkie_nvd - Published: 2023-01-10 12:15 - Updated: 2024-11-21 07:31
Severity ?
9.3 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
A vulnerability has been identified in Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.3.4), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.3.0 < V3.3.9), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.8). The affected module is vulnerable to reflected cross-site scripting (XSS) attacks. This could allow an attacker to extract sensitive information by tricking users into accessing a malicious link.
References
| URL | Tags | ||
|---|---|---|---|
| productcert@siemens.com | https://cert-portal.siemens.com/productcert/pdf/ssa-496604.pdf | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert-portal.siemens.com/productcert/pdf/ssa-496604.pdf | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FA388A2C-406A-4911-96EC-ACB1574B83AC",
"versionEndExcluding": "2.3.4",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "506D83D7-350A-4586-83AE-93E56C61C5FE",
"versionEndExcluding": "3.3.9",
"versionStartIncluding": "3.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.3.0 \u003c V2.3.4), Mendix SAML (Mendix 9 compatible, New Track) (All versions \u003e= V3.3.0 \u003c V3.3.9), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions \u003e= V3.3.0 \u003c V3.3.8). The affected module is vulnerable to reflected cross-site scripting (XSS) attacks. This could allow an attacker to extract sensitive information by tricking users into accessing a malicious link."
},
{
"lang": "es",
"value": "Se ha identificado una vulnerabilidad en Mendix SAML (compatible con Mendix 8) (Todas las versiones \u0026gt;= V2.3.0 \u0026lt; V2.3.4), Mendix SAML (compatible con Mendix 9, New Track) (Todas las versiones \u0026gt;= V3.3.0 \u0026lt; V3.3.9), Mendix SAML (compatible con Mendix 9, Upgrade Track) (Todas las versiones \u0026gt;= V3.3.0 \u0026lt; V3.3.8). El m\u00f3dulo afectado es vulnerable a ataques de cross-site scripting (XSS) reflejado. Esto podr\u00eda permitir a un atacante extraer informaci\u00f3n confidencial enga\u00f1ando a los usuarios para que accedan a un enlace malicioso."
}
],
"id": "CVE-2022-46823",
"lastModified": "2024-11-21T07:31:07.160",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.8,
"source": "productcert@siemens.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-01-10T12:15:23.753",
"references": [
{
"source": "productcert@siemens.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-496604.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-496604.pdf"
}
],
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "productcert@siemens.com",
"type": "Primary"
}
]
}
FKIE_CVE-2022-44457
Vulnerability from fkie_nvd - Published: 2022-11-08 11:15 - Updated: 2025-05-01 18:15
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions < V1.17.0), Mendix SAML (Mendix 7 compatible) (All versions >= V1.17.0 < V1.17.2), Mendix SAML (Mendix 8 compatible) (All versions < V2.3.0), Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.3.2), Mendix SAML (Mendix 9 compatible, New Track) (All versions < V3.3.1), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.3.1 < V3.3.5), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions < V3.3.0), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.4). Affected versions of the module insufficiently protect from packet capture replay, only when the not recommended, non default configuration option `'Allow Idp Initiated Authentication'` is enabled. This CVE entry describes the incomplete fix for CVE-2022-37011 in a specific non default configuration.
References
| URL | Tags | ||
|---|---|---|---|
| productcert@siemens.com | https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FAE0D810-0D2A-4158-B1A1-045743098BA9",
"versionEndExcluding": "1.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6C2A31D3-792D-46F1-90C3-818EEE5D1C1B",
"versionEndExcluding": "2.3.2",
"versionStartIncluding": "2.3.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "083B7407-2BCC-41DC-BF2D-2AC3298A7FAA",
"versionEndExcluding": "3.3.4",
"versionStartIncluding": "3.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions \u003c V1.17.0), Mendix SAML (Mendix 7 compatible) (All versions \u003e= V1.17.0 \u003c V1.17.2), Mendix SAML (Mendix 8 compatible) (All versions \u003c V2.3.0), Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.3.0 \u003c V2.3.2), Mendix SAML (Mendix 9 compatible, New Track) (All versions \u003c V3.3.1), Mendix SAML (Mendix 9 compatible, New Track) (All versions \u003e= V3.3.1 \u003c V3.3.5), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions \u003c V3.3.0), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions \u003e= V3.3.0 \u003c V3.3.4). Affected versions of the module insufficiently protect from packet capture replay, only when the not recommended, non default configuration option `\u0027Allow Idp Initiated Authentication\u0027` is enabled. This CVE entry describes the incomplete fix for CVE-2022-37011 in a specific non default configuration."
},
{
"lang": "es",
"value": "Se ha identificado una vulnerabilidad en Mendix SAML (compatible con Mendix 7) (Todas las versiones \u0026lt; V1.17.0),\nMendix SAML (compatible con Mendix 7) (Todas las versiones \u0026gt;= V1.17.0 \u0026lt; V1.17.2), \nMendix SAML (Mendix 8 compatible) (Todas las versiones \u0026lt; V2.3.0), \nMendix SAML (compatible con Mendix 8) (Todas las versiones \u0026gt; V2.3.0 \u0026lt; V2.3.2), \nMendix SAML (compatible con Mendix 9, New Track) (Todas las versiones \u0026lt; V3.3.1), \nMendix SAML (compatible con Mendix 9, New Track) (todas las versiones \u0026gt;= V3.3.1 \u0026lt; V3.3.5), \nMendix SAML (compatible con Mendix 9, Upgrade Track) (todas las versiones \u0026lt; V3.3.0 ), \nMendix SAML (compatible con Mendix 9, Upgrade Track) (Todas las versiones \u0026gt; V3.3.0 y \u0026lt; V3.3.4). \nLas versiones afectadas del m\u00f3dulo no protegen suficientemente contra la reproducci\u00f3n de captura de paquetes, solo cuando la opci\u00f3n de configuraci\u00f3n no predeterminada y no recomendada \"\"Permitir Autenticaci\u00f3n Iniciada por Idp\"\" est\u00e1 habilitada. Esta entrada de CVE describe la soluci\u00f3n incompleta para CVE-2022-37011 en una configuraci\u00f3n espec\u00edfica no predeterminada."
}
],
"id": "CVE-2022-44457",
"lastModified": "2025-05-01T18:15:50.063",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2022-11-08T11:15:12.257",
"references": [
{
"source": "productcert@siemens.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf"
}
],
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-294"
}
],
"source": "productcert@siemens.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-294"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-37011
Vulnerability from fkie_nvd - Published: 2022-09-13 10:15 - Updated: 2024-11-21 07:14
Severity ?
Summary
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions < V1.17.0), Mendix SAML (Mendix 8 compatible) (All versions < V2.3.0), Mendix SAML (Mendix 9 compatible, New Track) (All versions < V3.3.1), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions < V3.3.0). Affected versions of the module insufficiently protect from packet capture replay. This could allow unauthorized remote attackers to bypass authentication and get access to the application. For compatibility reasons, fix versions still contain this issue, but only when the not recommended, non default configuration option `'Allow Idp Initiated Authentication'` is enabled.
References
| URL | Tags | ||
|---|---|---|---|
| productcert@siemens.com | https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf | Patch, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "FAE0D810-0D2A-4158-B1A1-045743098BA9",
"versionEndExcluding": "1.17.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C78D80C0-D12B-41C8-BEA8-576BF2FC5A31",
"versionEndExcluding": "2.3.0",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "22874B0C-7AF0-4223-9116-7AF3F6A38A32",
"versionEndExcluding": "3.3.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions \u003c V1.17.0), Mendix SAML (Mendix 8 compatible) (All versions \u003c V2.3.0), Mendix SAML (Mendix 9 compatible, New Track) (All versions \u003c V3.3.1), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions \u003c V3.3.0). Affected versions of the module insufficiently protect from packet capture replay. This could allow unauthorized remote attackers to bypass authentication and get access to the application. For compatibility reasons, fix versions still contain this issue, but only when the not recommended, non default configuration option `\u0027Allow Idp Initiated Authentication\u0027` is enabled."
},
{
"lang": "es",
"value": "Se ha identificado una vulnerabilidad en el m\u00f3dulo SAML de Mendix (compatible con Mendix 7) (todas las versiones anteriores a V1.17.0), el m\u00f3dulo SAML de Mendix (compatible con Mendix 8) (todas las versiones anteriores a V2.3.0), el m\u00f3dulo SAML de Mendix (compatible con Mendix 9, New Track) (todas las versiones anteriores a V3.3.1), el m\u00f3dulo SAML de Mendix (compatible con Mendix 9, Upgrade Track) (todas las versiones anteriores a V3.3.0). Las versiones afectadas del m\u00f3dulo no protegen suficientemente de la repetici\u00f3n de la captura de paquetes. Esto podr\u00eda permitir a atacantes remotos no autorizados eludir la autenticaci\u00f3n y obtener acceso a la aplicaci\u00f3n. Por razones de compatibilidad, las versiones corregidas a\u00fan contienen este problema, pero s\u00f3lo cuando la opci\u00f3n de configuraci\u00f3n no recomendada y no predeterminada `\u0027Permitir autenticaci\u00f3n iniciada por Idp\u0027` est\u00e1 activada"
}
],
"id": "CVE-2022-37011",
"lastModified": "2024-11-21T07:14:16.827",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-13T10:15:10.763",
"references": [
{
"source": "productcert@siemens.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf"
}
],
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-294"
}
],
"source": "productcert@siemens.com",
"type": "Primary"
}
]
}
FKIE_CVE-2022-32286
Vulnerability from fkie_nvd - Published: 2022-06-14 10:15 - Updated: 2024-11-21 07:06
Severity ?
Summary
A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions < V3.2.3). In certain configurations SAML module is vulnerable to Cross Site Scripting (XSS) attacks due to insufficient error message sanitation. This could allow an attacker to execute malicious code by tricking users into accessing a malicious link.
References
| URL | Tags | ||
|---|---|---|---|
| productcert@siemens.com | https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E1E0186E-DD49-4794-B2EC-450BE2AE5E79",
"versionEndExcluding": "1.16.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AA6C2D26-26BC-4680-9490-0D68297AF201",
"versionEndExcluding": "2.2.2",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86B810AA-A3FF-4608-92AB-DEFB74F0FF4C",
"versionEndExcluding": "3.2.3",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions \u003c V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions \u003c V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions \u003c V3.2.3). In certain configurations SAML module is vulnerable to Cross Site Scripting (XSS) attacks due to insufficient error message sanitation. This could allow an attacker to execute malicious code by tricking users into accessing a malicious link."
},
{
"lang": "es",
"value": "Se ha identificado una vulnerabilidad en el m\u00f3dulo SAML de Mendix (Mendix 7 compatible) (Todas las versiones anteriores a V1.16.6), el m\u00f3dulo SAML de Mendix (Mendix 8 compatible) (Todas las versiones anteriores a V2.2.2), el m\u00f3dulo SAML de Mendix (Mendix 9 compatible) (Todas las versiones anteriores a V3.2.3). En determinadas configuraciones el m\u00f3dulo SAML es vulnerable a ataques de tipo Cross Site Scripting (XSS) debido a un insuficiente saneo de los mensajes de error. Esto podr\u00eda permitir a un atacante ejecutar c\u00f3digo malicioso enga\u00f1ando a usuarios para que accedan a un enlace malicioso"
}
],
"id": "CVE-2022-32286",
"lastModified": "2024-11-21T07:06:06.397",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-14T10:15:21.383",
"references": [
{
"source": "productcert@siemens.com",
"tags": [
"Third Party Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf"
}
],
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "productcert@siemens.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2022-32285
Vulnerability from fkie_nvd - Published: 2022-06-14 10:15 - Updated: 2024-11-21 07:06
Severity ?
Summary
A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions < V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances.
References
| URL | Tags | ||
|---|---|---|---|
| productcert@siemens.com | https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E1E0186E-DD49-4794-B2EC-450BE2AE5E79",
"versionEndExcluding": "1.16.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AA6C2D26-26BC-4680-9490-0D68297AF201",
"versionEndExcluding": "2.2.2",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "86B810AA-A3FF-4608-92AB-DEFB74F0FF4C",
"versionEndExcluding": "3.2.3",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions \u003c V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions \u003c V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions \u003c V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances."
},
{
"lang": "es",
"value": "Se ha identificado una vulnerabilidad en el m\u00f3dulo SAML de Mendix (compatible con Mendix 7) (Todas las versiones anteriores a V1.16.6), el m\u00f3dulo SAML de Mendix (compatible con Mendix 8) (Todas las versiones anteriores a V2.2.2), el m\u00f3dulo SAML de Mendix (compatible con Mendix 9) (Todas las versiones anteriores a V3.2.3). El m\u00f3dulo afectado es vulnerable a ataques de tipo XML External Entity (XXE), debido a un saneo de entrada insuficiente. Esto puede permitir a un atacante revelar datos confidenciales en determinadas circunstancias"
}
],
"id": "CVE-2022-32285",
"lastModified": "2024-11-21T07:06:06.280",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-14T10:15:21.320",
"references": [
{
"source": "productcert@siemens.com",
"tags": [
"Third Party Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf"
}
],
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "productcert@siemens.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-33712
Vulnerability from fkie_nvd - Published: 2021-06-08 20:15 - Updated: 2024-11-21 06:09
Severity ?
Summary
A vulnerability has been identified in Mendix SAML Module (All versions < V2.1.2). The configuration of the SAML module does not properly check various restrictions and validations imposed by an identity provider. This could allow a remote authenticated attacker to escalate privileges.
References
| URL | Tags | ||
|---|---|---|---|
| productcert@siemens.com | https://cert-portal.siemens.com/productcert/pdf/ssa-522654.pdf | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cert-portal.siemens.com/productcert/pdf/ssa-522654.pdf | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4197CB7E-D723-4421-B544-A599E0F0C5CE",
"versionEndExcluding": "2.1.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML Module (All versions \u003c V2.1.2). The configuration of the SAML module does not properly check various restrictions and validations imposed by an identity provider. This could allow a remote authenticated attacker to escalate privileges."
},
{
"lang": "es",
"value": "Se ha identificado una vulnerabilidad en el m\u00f3dulo SAML de Mendix (todas las versiones anteriores a V2.1.2). La configuraci\u00f3n del m\u00f3dulo SAML no comprueba apropiadamente varias restricciones y validaciones impuestas por un proveedor de identidad. Esto podr\u00eda permitir a un atacante remoto autenticado escalar privilegios"
}
],
"id": "CVE-2021-33712",
"lastModified": "2024-11-21T06:09:25.607",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-06-08T20:15:09.093",
"references": [
{
"source": "productcert@siemens.com",
"tags": [
"Third Party Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-522654.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-522654.pdf"
}
],
"sourceIdentifier": "productcert@siemens.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-345"
}
],
"source": "productcert@siemens.com",
"type": "Primary"
}
]
}
CVE-2023-29129 (GCVE-0-2023-29129)
Vulnerability from cvelistv5 – Published: 2023-06-13 08:17 – Updated: 2025-01-03 01:45
VLAI?
Summary
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions >= V1.17.3 < V1.18.0), Mendix SAML (Mendix 7 compatible) (All versions >= V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.4.0), Mendix SAML (Mendix 8 compatible) (All versions >= V2.2.0 < V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions >= V3.3.1 < V3.6.1), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions >= V3.1.9 < V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions >= V3.3.0 < V3.6.0), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions >= V3.1.8 < V3.3.0), Mendix SAML (Mendix 9.12/9.18 compatible, New Track) (All versions >= V3.3.1 < V3.3.15), Mendix SAML (Mendix 9.12/9.18 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.14), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions >= V3.1.9 < V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions >= V3.1.8 < V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.
This CVE entry describes the incomplete fix for CVE-2023-25957 in a specific non default configuration.
Severity ?
9.1 (Critical)
CWE
- CWE-303 - Incorrect Implementation of Authentication Algorithm
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29129",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T01:44:31.875796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T01:45:08.421Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 7 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V1.17.3 \u003c V1.18.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 7 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V1.16.4 \u003c V1.17.3"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V2.3.0 \u003c V2.4.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V2.2.0 \u003c V2.3.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9 latest compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.3.1 \u003c V3.6.1"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9 latest compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.1.9 \u003c V3.3.1"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9 latest compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.3.0 \u003c V3.6.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9 latest compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.1.8 \u003c V3.3.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9.12/9.18 compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.3.1 \u003c V3.3.15"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9.12/9.18 compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.3.0 \u003c V3.3.14"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9.6 compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.1.9 \u003c V3.2.7"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9.6 compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.1.8 \u003c V3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions \u003e= V1.17.3 \u003c V1.18.0), Mendix SAML (Mendix 7 compatible) (All versions \u003e= V1.16.4 \u003c V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.3.0 \u003c V2.4.0), Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.2.0 \u003c V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions \u003e= V3.3.1 \u003c V3.6.1), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions \u003e= V3.1.9 \u003c V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions \u003e= V3.3.0 \u003c V3.6.0), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions \u003e= V3.1.8 \u003c V3.3.0), Mendix SAML (Mendix 9.12/9.18 compatible, New Track) (All versions \u003e= V3.3.1 \u003c V3.3.15), Mendix SAML (Mendix 9.12/9.18 compatible, Upgrade Track) (All versions \u003e= V3.3.0 \u003c V3.3.14), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions \u003e= V3.1.9 \u003c V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions \u003e= V3.1.8 \u003c V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.\r\n\r\nThis CVE entry describes the incomplete fix for CVE-2023-25957 in a specific non default configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-08T09:20:18.907Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2023-29129",
"datePublished": "2023-06-13T08:17:09.102Z",
"dateReserved": "2023-03-31T10:54:25.290Z",
"dateUpdated": "2025-01-03T01:45:08.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25957 (GCVE-0-2023-25957)
Vulnerability from cvelistv5 – Published: 2023-03-14 09:31 – Updated: 2025-02-27 15:01
VLAI?
Summary
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions >= V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions >= V2.2.0 < V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions >= V3.1.9 < V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions >= V3.1.8 < V3.3.0), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions >= V3.1.9 < V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions >= V3.1.8 < V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.
For compatibility reasons, fix versions still contain this issue, but only when the recommended, default configuration option `'Use Encryption'` is disabled.
Severity ?
9.1 (Critical)
CWE
- CWE-303 - Incorrect Implementation of Authentication Algorithm
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Siemens | Mendix SAML (Mendix 7 compatible) |
Affected:
All versions >= V1.16.4 < V1.17.3
|
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:39:06.039Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25957",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T15:01:01.659726Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T15:01:20.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 7 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V1.16.4 \u003c V1.17.3"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V2.2.0 \u003c V2.3.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9 latest compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.1.9 \u003c V3.3.1"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9 latest compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.1.8 \u003c V3.3.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9.6 compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.1.9 \u003c V3.2.7"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9.6 compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.1.8 \u003c V3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions \u003e= V1.16.4 \u003c V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.2.0 \u003c V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions \u003e= V3.1.9 \u003c V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions \u003e= V3.1.8 \u003c V3.3.0), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions \u003e= V3.1.9 \u003c V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions \u003e= V3.1.8 \u003c V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.\r\n\r\nFor compatibility reasons, fix versions still contain this issue, but only when the recommended, default configuration option `\u0027Use Encryption\u0027` is disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-08T09:20:15.602Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2023-25957",
"datePublished": "2023-03-14T09:31:56.091Z",
"dateReserved": "2023-02-17T12:29:22.279Z",
"dateUpdated": "2025-02-27T15:01:20.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46823 (GCVE-0-2022-46823)
Vulnerability from cvelistv5 – Published: 2023-01-10 11:39 – Updated: 2025-04-09 14:01
VLAI?
Summary
A vulnerability has been identified in Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.3.4), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.3.0 < V3.3.9), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.8). The affected module is vulnerable to reflected cross-site scripting (XSS) attacks. This could allow an attacker to extract sensitive information by tricking users into accessing a malicious link.
Severity ?
9.3 (Critical)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Siemens | Mendix SAML (Mendix 8 compatible) |
Affected:
All versions >= V2.3.0 < V2.3.4
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:39:38.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-496604.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-46823",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T14:01:19.219213Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T14:01:27.985Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V2.3.0 \u003c V2.3.4"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9 compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.3.0 \u003c V3.3.9"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9 compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.3.0 \u003c V3.3.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.3.0 \u003c V2.3.4), Mendix SAML (Mendix 9 compatible, New Track) (All versions \u003e= V3.3.0 \u003c V3.3.9), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions \u003e= V3.3.0 \u003c V3.3.8). The affected module is vulnerable to reflected cross-site scripting (XSS) attacks. This could allow an attacker to extract sensitive information by tricking users into accessing a malicious link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-10T11:39:46.211Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-496604.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2022-46823",
"datePublished": "2023-01-10T11:39:46.211Z",
"dateReserved": "2022-12-08T15:19:35.234Z",
"dateUpdated": "2025-04-09T14:01:27.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-44457 (GCVE-0-2022-44457)
Vulnerability from cvelistv5 – Published: 2022-11-08 00:00 – Updated: 2025-05-01 18:07
VLAI?
Summary
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions < V1.17.0), Mendix SAML (Mendix 7 compatible) (All versions >= V1.17.0 < V1.17.2), Mendix SAML (Mendix 8 compatible) (All versions < V2.3.0), Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.3.2), Mendix SAML (Mendix 9 compatible, New Track) (All versions < V3.3.1), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.3.1 < V3.3.5), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions < V3.3.0), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.4). Affected versions of the module insufficiently protect from packet capture replay, only when the not recommended, non default configuration option `'Allow Idp Initiated Authentication'` is enabled. This CVE entry describes the incomplete fix for CVE-2022-37011 in a specific non default configuration.
Severity ?
9.8 (Critical)
CWE
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Siemens | Mendix SAML (Mendix 7 compatible) |
Affected:
All versions < V1.17.0
|
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:54:03.401Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-44457",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T18:07:08.237002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T18:07:21.381Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mendix SAML (Mendix 7 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V1.17.0"
}
]
},
{
"product": "Mendix SAML (Mendix 7 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V1.17.0 \u003c V1.17.2"
}
]
},
{
"product": "Mendix SAML (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V2.3.0"
}
]
},
{
"product": "Mendix SAML (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V2.3.0 \u003c V2.3.2"
}
]
},
{
"product": "Mendix SAML (Mendix 9 compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.3.1"
}
]
},
{
"product": "Mendix SAML (Mendix 9 compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.3.1 \u003c V3.3.5"
}
]
},
{
"product": "Mendix SAML (Mendix 9 compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.3.0"
}
]
},
{
"product": "Mendix SAML (Mendix 9 compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.3.0 \u003c V3.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions \u003c V1.17.0), Mendix SAML (Mendix 7 compatible) (All versions \u003e= V1.17.0 \u003c V1.17.2), Mendix SAML (Mendix 8 compatible) (All versions \u003c V2.3.0), Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.3.0 \u003c V2.3.2), Mendix SAML (Mendix 9 compatible, New Track) (All versions \u003c V3.3.1), Mendix SAML (Mendix 9 compatible, New Track) (All versions \u003e= V3.3.1 \u003c V3.3.5), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions \u003c V3.3.0), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions \u003e= V3.3.0 \u003c V3.3.4). Affected versions of the module insufficiently protect from packet capture replay, only when the not recommended, non default configuration option `\u0027Allow Idp Initiated Authentication\u0027` is enabled. This CVE entry describes the incomplete fix for CVE-2022-37011 in a specific non default configuration."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T00:00:00.000Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2022-44457",
"datePublished": "2022-11-08T00:00:00.000Z",
"dateReserved": "2022-10-31T00:00:00.000Z",
"dateUpdated": "2025-05-01T18:07:21.381Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37011 (GCVE-0-2022-37011)
Vulnerability from cvelistv5 – Published: 2022-09-13 00:00 – Updated: 2024-08-03 10:21
VLAI?
Summary
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions < V1.17.0), Mendix SAML (Mendix 8 compatible) (All versions < V2.3.0), Mendix SAML (Mendix 9 compatible, New Track) (All versions < V3.3.1), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions < V3.3.0). Affected versions of the module insufficiently protect from packet capture replay. This could allow unauthorized remote attackers to bypass authentication and get access to the application. For compatibility reasons, fix versions still contain this issue, but only when the not recommended, non default configuration option `'Allow Idp Initiated Authentication'` is enabled.
Severity ?
No CVSS data available.
CWE
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Siemens | Mendix SAML (Mendix 7 compatible) |
Affected:
All versions < V1.17.0
|
|||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:21:32.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mendix SAML (Mendix 7 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V1.17.0"
}
]
},
{
"product": "Mendix SAML (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V2.3.0"
}
]
},
{
"product": "Mendix SAML (Mendix 9 compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.3.1"
}
]
},
{
"product": "Mendix SAML (Mendix 9 compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions \u003c V1.17.0), Mendix SAML (Mendix 8 compatible) (All versions \u003c V2.3.0), Mendix SAML (Mendix 9 compatible, New Track) (All versions \u003c V3.3.1), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions \u003c V3.3.0). Affected versions of the module insufficiently protect from packet capture replay. This could allow unauthorized remote attackers to bypass authentication and get access to the application. For compatibility reasons, fix versions still contain this issue, but only when the not recommended, non default configuration option `\u0027Allow Idp Initiated Authentication\u0027` is enabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T00:00:00",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2022-37011",
"datePublished": "2022-09-13T00:00:00",
"dateReserved": "2022-07-28T00:00:00",
"dateUpdated": "2024-08-03T10:21:32.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-32286 (GCVE-0-2022-32286)
Vulnerability from cvelistv5 – Published: 2022-06-14 09:22 – Updated: 2024-08-03 07:39
VLAI?
Summary
A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions < V3.2.3). In certain configurations SAML module is vulnerable to Cross Site Scripting (XSS) attacks due to insufficient error message sanitation. This could allow an attacker to execute malicious code by tricking users into accessing a malicious link.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Siemens | Mendix SAML Module (Mendix 7 compatible) |
Affected:
All versions < V1.16.6
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:39:50.502Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mendix SAML Module (Mendix 7 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V1.16.6"
}
]
},
{
"product": "Mendix SAML Module (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V2.2.2"
}
]
},
{
"product": "Mendix SAML Module (Mendix 9 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions \u003c V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions \u003c V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions \u003c V3.2.3). In certain configurations SAML module is vulnerable to Cross Site Scripting (XSS) attacks due to insufficient error message sanitation. This could allow an attacker to execute malicious code by tricking users into accessing a malicious link."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-14T09:22:20",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2022-32286",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mendix SAML Module (Mendix 7 compatible)",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V1.16.6"
}
]
}
},
{
"product_name": "Mendix SAML Module (Mendix 8 compatible)",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V2.2.2"
}
]
}
},
{
"product_name": "Mendix SAML Module (Mendix 9 compatible)",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V3.2.3"
}
]
}
}
]
},
"vendor_name": "Siemens"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions \u003c V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions \u003c V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions \u003c V3.2.3). In certain configurations SAML module is vulnerable to Cross Site Scripting (XSS) attacks due to insufficient error message sanitation. This could allow an attacker to execute malicious code by tricking users into accessing a malicious link."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2022-32286",
"datePublished": "2022-06-14T09:22:20",
"dateReserved": "2022-06-03T00:00:00",
"dateUpdated": "2024-08-03T07:39:50.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-32285 (GCVE-0-2022-32285)
Vulnerability from cvelistv5 – Published: 2022-06-14 09:22 – Updated: 2024-08-03 07:39
VLAI?
Summary
A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions < V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances.
Severity ?
No CVSS data available.
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Siemens | Mendix SAML Module (Mendix 7 compatible) |
Affected:
All versions < V1.16.6
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:39:51.062Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mendix SAML Module (Mendix 7 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V1.16.6"
}
]
},
{
"product": "Mendix SAML Module (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V2.2.2"
}
]
},
{
"product": "Mendix SAML Module (Mendix 9 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions \u003c V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions \u003c V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions \u003c V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-14T09:22:19",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2022-32285",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mendix SAML Module (Mendix 7 compatible)",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V1.16.6"
}
]
}
},
{
"product_name": "Mendix SAML Module (Mendix 8 compatible)",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V2.2.2"
}
]
}
},
{
"product_name": "Mendix SAML Module (Mendix 9 compatible)",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V3.2.3"
}
]
}
}
]
},
"vendor_name": "Siemens"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions \u003c V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions \u003c V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions \u003c V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611: Improper Restriction of XML External Entity Reference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2022-32285",
"datePublished": "2022-06-14T09:22:19",
"dateReserved": "2022-06-03T00:00:00",
"dateUpdated": "2024-08-03T07:39:51.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33712 (GCVE-0-2021-33712)
Vulnerability from cvelistv5 – Published: 2021-06-08 19:47 – Updated: 2024-08-03 23:58
VLAI?
Summary
A vulnerability has been identified in Mendix SAML Module (All versions < V2.1.2). The configuration of the SAML module does not properly check various restrictions and validations imposed by an identity provider. This could allow a remote authenticated attacker to escalate privileges.
Severity ?
No CVSS data available.
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Siemens | Mendix SAML Module |
Affected:
All versions < V2.1.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:22.801Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-522654.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mendix SAML Module",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V2.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML Module (All versions \u003c V2.1.2). The configuration of the SAML module does not properly check various restrictions and validations imposed by an identity provider. This could allow a remote authenticated attacker to escalate privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-08T19:47:17",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-522654.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2021-33712",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mendix SAML Module",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V2.1.2"
}
]
}
}
]
},
"vendor_name": "Siemens"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in Mendix SAML Module (All versions \u003c V2.1.2). The configuration of the SAML module does not properly check various restrictions and validations imposed by an identity provider. This could allow a remote authenticated attacker to escalate privileges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-345: Insufficient Verification of Data Authenticity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-522654.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-522654.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2021-33712",
"datePublished": "2021-06-08T19:47:17",
"dateReserved": "2021-05-28T00:00:00",
"dateUpdated": "2024-08-03T23:58:22.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-29129 (GCVE-0-2023-29129)
Vulnerability from nvd – Published: 2023-06-13 08:17 – Updated: 2025-01-03 01:45
VLAI?
Summary
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions >= V1.17.3 < V1.18.0), Mendix SAML (Mendix 7 compatible) (All versions >= V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.4.0), Mendix SAML (Mendix 8 compatible) (All versions >= V2.2.0 < V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions >= V3.3.1 < V3.6.1), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions >= V3.1.9 < V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions >= V3.3.0 < V3.6.0), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions >= V3.1.8 < V3.3.0), Mendix SAML (Mendix 9.12/9.18 compatible, New Track) (All versions >= V3.3.1 < V3.3.15), Mendix SAML (Mendix 9.12/9.18 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.14), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions >= V3.1.9 < V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions >= V3.1.8 < V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.
This CVE entry describes the incomplete fix for CVE-2023-25957 in a specific non default configuration.
Severity ?
9.1 (Critical)
CWE
- CWE-303 - Incorrect Implementation of Authentication Algorithm
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Siemens | Mendix SAML (Mendix 7 compatible) |
Affected:
All versions >= V1.17.3 < V1.18.0
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:00:14.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-29129",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-03T01:44:31.875796Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-03T01:45:08.421Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 7 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V1.17.3 \u003c V1.18.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 7 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V1.16.4 \u003c V1.17.3"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V2.3.0 \u003c V2.4.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V2.2.0 \u003c V2.3.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9 latest compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.3.1 \u003c V3.6.1"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9 latest compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.1.9 \u003c V3.3.1"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9 latest compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.3.0 \u003c V3.6.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9 latest compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.1.8 \u003c V3.3.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9.12/9.18 compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.3.1 \u003c V3.3.15"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9.12/9.18 compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.3.0 \u003c V3.3.14"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9.6 compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.1.9 \u003c V3.2.7"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9.6 compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.1.8 \u003c V3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions \u003e= V1.17.3 \u003c V1.18.0), Mendix SAML (Mendix 7 compatible) (All versions \u003e= V1.16.4 \u003c V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.3.0 \u003c V2.4.0), Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.2.0 \u003c V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions \u003e= V3.3.1 \u003c V3.6.1), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions \u003e= V3.1.9 \u003c V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions \u003e= V3.3.0 \u003c V3.6.0), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions \u003e= V3.1.8 \u003c V3.3.0), Mendix SAML (Mendix 9.12/9.18 compatible, New Track) (All versions \u003e= V3.3.1 \u003c V3.3.15), Mendix SAML (Mendix 9.12/9.18 compatible, Upgrade Track) (All versions \u003e= V3.3.0 \u003c V3.3.14), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions \u003e= V3.1.9 \u003c V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions \u003e= V3.1.8 \u003c V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.\r\n\r\nThis CVE entry describes the incomplete fix for CVE-2023-25957 in a specific non default configuration."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-08T09:20:18.907Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2023-29129",
"datePublished": "2023-06-13T08:17:09.102Z",
"dateReserved": "2023-03-31T10:54:25.290Z",
"dateUpdated": "2025-01-03T01:45:08.421Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-25957 (GCVE-0-2023-25957)
Vulnerability from nvd – Published: 2023-03-14 09:31 – Updated: 2025-02-27 15:01
VLAI?
Summary
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions >= V1.16.4 < V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions >= V2.2.0 < V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions >= V3.1.9 < V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions >= V3.1.8 < V3.3.0), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions >= V3.1.9 < V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions >= V3.1.8 < V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.
For compatibility reasons, fix versions still contain this issue, but only when the recommended, default configuration option `'Use Encryption'` is disabled.
Severity ?
9.1 (Critical)
CWE
- CWE-303 - Incorrect Implementation of Authentication Algorithm
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Siemens | Mendix SAML (Mendix 7 compatible) |
Affected:
All versions >= V1.16.4 < V1.17.3
|
|||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T11:39:06.039Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-25957",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T15:01:01.659726Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T15:01:20.848Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 7 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V1.16.4 \u003c V1.17.3"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V2.2.0 \u003c V2.3.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9 latest compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.1.9 \u003c V3.3.1"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9 latest compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.1.8 \u003c V3.3.0"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9.6 compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.1.9 \u003c V3.2.7"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9.6 compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.1.8 \u003c V3.2.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions \u003e= V1.16.4 \u003c V1.17.3), Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.2.0 \u003c V2.3.0), Mendix SAML (Mendix 9 latest compatible, New Track) (All versions \u003e= V3.1.9 \u003c V3.3.1), Mendix SAML (Mendix 9 latest compatible, Upgrade Track) (All versions \u003e= V3.1.8 \u003c V3.3.0), Mendix SAML (Mendix 9.6 compatible, New Track) (All versions \u003e= V3.1.9 \u003c V3.2.7), Mendix SAML (Mendix 9.6 compatible, Upgrade Track) (All versions \u003e= V3.1.8 \u003c V3.2.6). The affected versions of the module insufficiently verify the SAML assertions. This could allow unauthenticated remote attackers to bypass authentication and get access to the application.\r\n\r\nFor compatibility reasons, fix versions still contain this issue, but only when the recommended, default configuration option `\u0027Use Encryption\u0027` is disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-08T09:20:15.602Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-851884.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2023-25957",
"datePublished": "2023-03-14T09:31:56.091Z",
"dateReserved": "2023-02-17T12:29:22.279Z",
"dateUpdated": "2025-02-27T15:01:20.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-46823 (GCVE-0-2022-46823)
Vulnerability from nvd – Published: 2023-01-10 11:39 – Updated: 2025-04-09 14:01
VLAI?
Summary
A vulnerability has been identified in Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.3.4), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.3.0 < V3.3.9), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.8). The affected module is vulnerable to reflected cross-site scripting (XSS) attacks. This could allow an attacker to extract sensitive information by tricking users into accessing a malicious link.
Severity ?
9.3 (Critical)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Siemens | Mendix SAML (Mendix 8 compatible) |
Affected:
All versions >= V2.3.0 < V2.3.4
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:39:38.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-496604.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-46823",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-09T14:01:19.219213Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-09T14:01:27.985Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V2.3.0 \u003c V2.3.4"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9 compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.3.0 \u003c V3.3.9"
}
]
},
{
"defaultStatus": "unknown",
"product": "Mendix SAML (Mendix 9 compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.3.0 \u003c V3.3.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.3.0 \u003c V2.3.4), Mendix SAML (Mendix 9 compatible, New Track) (All versions \u003e= V3.3.0 \u003c V3.3.9), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions \u003e= V3.3.0 \u003c V3.3.8). The affected module is vulnerable to reflected cross-site scripting (XSS) attacks. This could allow an attacker to extract sensitive information by tricking users into accessing a malicious link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-01-10T11:39:46.211Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-496604.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2022-46823",
"datePublished": "2023-01-10T11:39:46.211Z",
"dateReserved": "2022-12-08T15:19:35.234Z",
"dateUpdated": "2025-04-09T14:01:27.985Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-44457 (GCVE-0-2022-44457)
Vulnerability from nvd – Published: 2022-11-08 00:00 – Updated: 2025-05-01 18:07
VLAI?
Summary
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions < V1.17.0), Mendix SAML (Mendix 7 compatible) (All versions >= V1.17.0 < V1.17.2), Mendix SAML (Mendix 8 compatible) (All versions < V2.3.0), Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.3.2), Mendix SAML (Mendix 9 compatible, New Track) (All versions < V3.3.1), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.3.1 < V3.3.5), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions < V3.3.0), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.4). Affected versions of the module insufficiently protect from packet capture replay, only when the not recommended, non default configuration option `'Allow Idp Initiated Authentication'` is enabled. This CVE entry describes the incomplete fix for CVE-2022-37011 in a specific non default configuration.
Severity ?
9.8 (Critical)
CWE
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Siemens | Mendix SAML (Mendix 7 compatible) |
Affected:
All versions < V1.17.0
|
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:54:03.401Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-44457",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T18:07:08.237002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T18:07:21.381Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Mendix SAML (Mendix 7 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V1.17.0"
}
]
},
{
"product": "Mendix SAML (Mendix 7 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V1.17.0 \u003c V1.17.2"
}
]
},
{
"product": "Mendix SAML (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V2.3.0"
}
]
},
{
"product": "Mendix SAML (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V2.3.0 \u003c V2.3.2"
}
]
},
{
"product": "Mendix SAML (Mendix 9 compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.3.1"
}
]
},
{
"product": "Mendix SAML (Mendix 9 compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.3.1 \u003c V3.3.5"
}
]
},
{
"product": "Mendix SAML (Mendix 9 compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.3.0"
}
]
},
{
"product": "Mendix SAML (Mendix 9 compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003e= V3.3.0 \u003c V3.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions \u003c V1.17.0), Mendix SAML (Mendix 7 compatible) (All versions \u003e= V1.17.0 \u003c V1.17.2), Mendix SAML (Mendix 8 compatible) (All versions \u003c V2.3.0), Mendix SAML (Mendix 8 compatible) (All versions \u003e= V2.3.0 \u003c V2.3.2), Mendix SAML (Mendix 9 compatible, New Track) (All versions \u003c V3.3.1), Mendix SAML (Mendix 9 compatible, New Track) (All versions \u003e= V3.3.1 \u003c V3.3.5), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions \u003c V3.3.0), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions \u003e= V3.3.0 \u003c V3.3.4). Affected versions of the module insufficiently protect from packet capture replay, only when the not recommended, non default configuration option `\u0027Allow Idp Initiated Authentication\u0027` is enabled. This CVE entry describes the incomplete fix for CVE-2022-37011 in a specific non default configuration."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T00:00:00.000Z",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2022-44457",
"datePublished": "2022-11-08T00:00:00.000Z",
"dateReserved": "2022-10-31T00:00:00.000Z",
"dateUpdated": "2025-05-01T18:07:21.381Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-37011 (GCVE-0-2022-37011)
Vulnerability from nvd – Published: 2022-09-13 00:00 – Updated: 2024-08-03 10:21
VLAI?
Summary
A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions < V1.17.0), Mendix SAML (Mendix 8 compatible) (All versions < V2.3.0), Mendix SAML (Mendix 9 compatible, New Track) (All versions < V3.3.1), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions < V3.3.0). Affected versions of the module insufficiently protect from packet capture replay. This could allow unauthorized remote attackers to bypass authentication and get access to the application. For compatibility reasons, fix versions still contain this issue, but only when the not recommended, non default configuration option `'Allow Idp Initiated Authentication'` is enabled.
Severity ?
No CVSS data available.
CWE
- CWE-294 - Authentication Bypass by Capture-replay
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Siemens | Mendix SAML (Mendix 7 compatible) |
Affected:
All versions < V1.17.0
|
|||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T10:21:32.435Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mendix SAML (Mendix 7 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V1.17.0"
}
]
},
{
"product": "Mendix SAML (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V2.3.0"
}
]
},
{
"product": "Mendix SAML (Mendix 9 compatible, New Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.3.1"
}
]
},
{
"product": "Mendix SAML (Mendix 9 compatible, Upgrade Track)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML (Mendix 7 compatible) (All versions \u003c V1.17.0), Mendix SAML (Mendix 8 compatible) (All versions \u003c V2.3.0), Mendix SAML (Mendix 9 compatible, New Track) (All versions \u003c V3.3.1), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions \u003c V3.3.0). Affected versions of the module insufficiently protect from packet capture replay. This could allow unauthorized remote attackers to bypass authentication and get access to the application. For compatibility reasons, fix versions still contain this issue, but only when the not recommended, non default configuration option `\u0027Allow Idp Initiated Authentication\u0027` is enabled."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-294",
"description": "CWE-294: Authentication Bypass by Capture-replay",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-13T00:00:00",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-638652.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2022-37011",
"datePublished": "2022-09-13T00:00:00",
"dateReserved": "2022-07-28T00:00:00",
"dateUpdated": "2024-08-03T10:21:32.435Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-32286 (GCVE-0-2022-32286)
Vulnerability from nvd – Published: 2022-06-14 09:22 – Updated: 2024-08-03 07:39
VLAI?
Summary
A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions < V3.2.3). In certain configurations SAML module is vulnerable to Cross Site Scripting (XSS) attacks due to insufficient error message sanitation. This could allow an attacker to execute malicious code by tricking users into accessing a malicious link.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Siemens | Mendix SAML Module (Mendix 7 compatible) |
Affected:
All versions < V1.16.6
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:39:50.502Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mendix SAML Module (Mendix 7 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V1.16.6"
}
]
},
{
"product": "Mendix SAML Module (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V2.2.2"
}
]
},
{
"product": "Mendix SAML Module (Mendix 9 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions \u003c V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions \u003c V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions \u003c V3.2.3). In certain configurations SAML module is vulnerable to Cross Site Scripting (XSS) attacks due to insufficient error message sanitation. This could allow an attacker to execute malicious code by tricking users into accessing a malicious link."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-14T09:22:20",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2022-32286",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mendix SAML Module (Mendix 7 compatible)",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V1.16.6"
}
]
}
},
{
"product_name": "Mendix SAML Module (Mendix 8 compatible)",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V2.2.2"
}
]
}
},
{
"product_name": "Mendix SAML Module (Mendix 9 compatible)",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V3.2.3"
}
]
}
}
]
},
"vendor_name": "Siemens"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions \u003c V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions \u003c V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions \u003c V3.2.3). In certain configurations SAML module is vulnerable to Cross Site Scripting (XSS) attacks due to insufficient error message sanitation. This could allow an attacker to execute malicious code by tricking users into accessing a malicious link."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2022-32286",
"datePublished": "2022-06-14T09:22:20",
"dateReserved": "2022-06-03T00:00:00",
"dateUpdated": "2024-08-03T07:39:50.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-32285 (GCVE-0-2022-32285)
Vulnerability from nvd – Published: 2022-06-14 09:22 – Updated: 2024-08-03 07:39
VLAI?
Summary
A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions < V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions < V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions < V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances.
Severity ?
No CVSS data available.
CWE
- CWE-611 - Improper Restriction of XML External Entity Reference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Siemens | Mendix SAML Module (Mendix 7 compatible) |
Affected:
All versions < V1.16.6
|
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:39:51.062Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mendix SAML Module (Mendix 7 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V1.16.6"
}
]
},
{
"product": "Mendix SAML Module (Mendix 8 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V2.2.2"
}
]
},
{
"product": "Mendix SAML Module (Mendix 9 compatible)",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V3.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions \u003c V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions \u003c V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions \u003c V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-611",
"description": "CWE-611: Improper Restriction of XML External Entity Reference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-14T09:22:19",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2022-32285",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mendix SAML Module (Mendix 7 compatible)",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V1.16.6"
}
]
}
},
{
"product_name": "Mendix SAML Module (Mendix 8 compatible)",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V2.2.2"
}
]
}
},
{
"product_name": "Mendix SAML Module (Mendix 9 compatible)",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V3.2.3"
}
]
}
}
]
},
"vendor_name": "Siemens"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in Mendix SAML Module (Mendix 7 compatible) (All versions \u003c V1.16.6), Mendix SAML Module (Mendix 8 compatible) (All versions \u003c V2.2.2), Mendix SAML Module (Mendix 9 compatible) (All versions \u003c V3.2.3). The affected module is vulnerable to XML External Entity (XXE) attacks due to insufficient input sanitation. This may allow an attacker to disclose confidential data under certain circumstances."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-611: Improper Restriction of XML External Entity Reference"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-740594.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2022-32285",
"datePublished": "2022-06-14T09:22:19",
"dateReserved": "2022-06-03T00:00:00",
"dateUpdated": "2024-08-03T07:39:51.062Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-33712 (GCVE-0-2021-33712)
Vulnerability from nvd – Published: 2021-06-08 19:47 – Updated: 2024-08-03 23:58
VLAI?
Summary
A vulnerability has been identified in Mendix SAML Module (All versions < V2.1.2). The configuration of the SAML module does not properly check various restrictions and validations imposed by an identity provider. This could allow a remote authenticated attacker to escalate privileges.
Severity ?
No CVSS data available.
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Siemens | Mendix SAML Module |
Affected:
All versions < V2.1.2
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T23:58:22.801Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-522654.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Mendix SAML Module",
"vendor": "Siemens",
"versions": [
{
"status": "affected",
"version": "All versions \u003c V2.1.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been identified in Mendix SAML Module (All versions \u003c V2.1.2). The configuration of the SAML module does not properly check various restrictions and validations imposed by an identity provider. This could allow a remote authenticated attacker to escalate privileges."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-08T19:47:17",
"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"shortName": "siemens"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-522654.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "productcert@siemens.com",
"ID": "CVE-2021-33712",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Mendix SAML Module",
"version": {
"version_data": [
{
"version_value": "All versions \u003c V2.1.2"
}
]
}
}
]
},
"vendor_name": "Siemens"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability has been identified in Mendix SAML Module (All versions \u003c V2.1.2). The configuration of the SAML module does not properly check various restrictions and validations imposed by an identity provider. This could allow a remote authenticated attacker to escalate privileges."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-345: Insufficient Verification of Data Authenticity"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://cert-portal.siemens.com/productcert/pdf/ssa-522654.pdf",
"refsource": "MISC",
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-522654.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77",
"assignerShortName": "siemens",
"cveId": "CVE-2021-33712",
"datePublished": "2021-06-08T19:47:17",
"dateReserved": "2021-05-28T00:00:00",
"dateUpdated": "2024-08-03T23:58:22.801Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}