CVE-2023-23835

Summary

A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.34), Mendix Applications using Mendix 8 (All versions < V8.18.23), Mendix Applications using Mendix 9 (All versions < V9.22.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.10), Mendix Applications using Mendix 9 (V9.18) (All versions < V9.18.4), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.15). Some of the Mendix runtime API’s allow attackers to bypass XPath constraints and retrieve information using XPath queries that trigger errors.

Affected Software

VendorProductVersion RangeStatus
SiemensMendix Applications using Mendix 7All versions < V7.23.34affected
SiemensMendix Applications using Mendix 8All versions < V8.18.23affected
SiemensMendix Applications using Mendix 9All versions < V9.22.0affected
SiemensMendix Applications using Mendix 9 (V9.12)All versions < V9.12.10affected
SiemensMendix Applications using Mendix 9 (V9.18)All versions < V9.18.4affected
SiemensMendix Applications using Mendix 9 (V9.6)All versions < V9.6.15affected

Weaknesses

  • CWE-284: CWE-284: Improper Access Control

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References