CVE-2022-24309 Information

Description

A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.29) Mendix Applications using Mendix 8 (All versions < V8.18.16) Mendix Applications using Mendix 9 (All deployments with Runtime Custom Setting DataStorage.UseNewQueryHandler set to False). If an entity has an association readable by the user then in some cases Mendix Runtime may not apply checks for XPath constraints that parse said associations within apps running on affected versions. A malicious user could use this to dump and manipulate sensitive data.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Reference

https://cert-portal.siemens.com/productcert/pdf/ssa-148641.pdf

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

8.1