User Enumeration Vulnerability in Mendix Forgot Password Modules
CVE-2023-43623

5.3MEDIUM

Key Information:

Vendor: Siemens
Status: Mendix Forgot Password (mendix 10 Compatible); Mendix Forgot Password (mendix 7 Compatible); Mendix Forgot Password (mendix 8 Compatible); Mendix Forgot Password (mendix 9 Compatible)
Vendor: CVE Published:; 10 October 2023

Summary

A security issue has been discovered in the Mendix Forgot Password modules across multiple compatible versions, where applications allow for user enumeration due to distinguishable responses. This vulnerability can be exploited by unauthenticated remote attackers, enabling them to ascertain the validity of a username. Once valid users are identified, the attackers can leverage this information to execute brute force attacks, further compromising user accounts and potentially gaining unauthorized access.

Affected Version(s)

Mendix Forgot Password (Mendix 10 compatible) All versions < V5.4.0

Mendix Forgot Password (Mendix 7 compatible) All versions < V3.7.3

Mendix Forgot Password (Mendix 8 compatible) All versions < V4.1.3

References

https://cert-portal.siemens.com/productcert/pdf/ssa-29548...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 10, 2023
Vulnerability Reserved
Sep 20, 2023