CVE-2022-24309

Name of the Vulnerable Software and Affected Versions Mendix Runtime V7 versions prior to 7.23.29 Mendix Runtime V8 versions prior to 8.18.16 Mendix Runtime V9 version 9.13 and earlier, with Runtime Custom Setting DataStorage.UseNewQueryHandler set to False

Description A vulnerability has been identified where Mendix Runtime may not apply checks for XPath constraints that parse associations readable by the user. This could allow a malicious user to dump and manipulate sensitive data within apps running on affected versions.

Recommendations For Mendix Runtime V7 versions prior to 7.23.29, update to version 7.23.29 or later. For Mendix Runtime V8 versions prior to 8.18.16, update to version 8.18.16 or later. For Mendix Runtime V9 version 9.13 and earlier with DataStorage.UseNewQueryHandler set to False, update to a version where DataStorage.UseNewQueryHandler is set to True or later, or update to a version where this vulnerability is fixed.