CVE-2022-31257

A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.31), Mendix Applications using Mendix 8 (All versions < V8.18.18), Mendix Applications using Mendix 9 (All versions < V9.14.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.2), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.12). In case of access to an active user session in an application that is built with an affected version, it’s possible to change that user’s password bypassing password validations within a Mendix application. This could allow to set weak passwords.

Published: Jul 12, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-31257
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-269

Affected Software
References

Software	From	Fixed in
mendix / mendix	9.12.0	9.12.2
mendix / mendix	9.13.0	9.14.0
mendix / mendix	7.0.0	7.32.31
mendix / mendix	8.0.0	8.18.18
mendix / mendix	9.6.0	9.6.12

https://cert-portal.siemens.com/productcert/pdf/ssa-433782.pdf

Vulnerability Database

289,599

CVE-2022-31257