PT-2022-20644 · Mendix · Mendix
Published
2022-07-12
·
Updated
2023-07-24
·
CVE-2022-31257
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Mendix Applications using Mendix 7 versions prior to 7.23.31
Mendix Applications using Mendix 8 versions prior to 8.18.18
Mendix Applications using Mendix 9 versions prior to 9.14.0
Mendix Applications using Mendix 9 (V9.12) versions prior to 9.12.2
Mendix Applications using Mendix 9 (V9.6) versions prior to 9.6.12
Description
A vulnerability has been identified that allows an attacker to change a user's password bypassing password validations within a Mendix application, potentially allowing the setting of weak passwords, if access to an active user session is obtained.
Recommendations
For Mendix 7, update to version 7.23.31 or later.
For Mendix 8, update to version 8.18.18 or later.
For Mendix 9, update to version 9.14.0 or later.
For Mendix 9 (V9.12), update to version 9.12.2 or later.
For Mendix 9 (V9.6), update to version 9.6.12 or later.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mendix