Improper Access Control in Mendix Applications by Mendix
CVE-2021-42025

6.5MEDIUM

Key Information:

Vendor: Siemens
Status: Mendix Applications Using Mendix 8; Mendix Applications Using Mendix 9
Vendor: CVE Published:; 9 November 2021

Summary

A significant vulnerability has been identified in Mendix Applications built on versions of Mendix Studio Pro prior to V8.18.13 and V9.6.2. This issue arises from insufficient control over write access for certain client actions, allowing authenticated attackers to manipulate System.FileDocument objects. Consequently, attackers may exploit this vulnerability to alter content within these documents, even if they lack legitimate write access. The implications of this flaw highlight the need for urgent remediation in all affected Mendix applications to safeguard against unauthorized data manipulation.

Affected Version(s)

Mendix Applications using Mendix 8 All versions < V8.18.13

Mendix Applications using Mendix 9 All versions < V9.6.2

References

https://cert-portal.siemens.com/productcert/pdf/ssa-77969...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 9, 2021
Vulnerability Reserved
Oct 6, 2021