CVE-2022-31257

HIGH

Published Jul 12, 20223y ago · Modified Jun 17, 20261w ago

7.5 CVSS 3.1

High

Published Jul 12, 2022 3y ago

Last Modified Jun 17, 2026 1w ago

Description

A vulnerability has been identified in Mendix Applications using Mendix 7 (All versions < V7.23.31), Mendix Applications using Mendix 8 (All versions < V8.18.18), Mendix Applications using Mendix 9 (All versions < V9.14.0), Mendix Applications using Mendix 9 (V9.12) (All versions < V9.12.2), Mendix Applications using Mendix 9 (V9.6) (All versions < V9.6.12). In case of access to an active user session in an application that is built with an affected version, it’s possible to change that user’s password bypassing password validations within a Mendix application. This could allow to set weak passwords.

CVSS Details

Base Score

7.5

Exploitability

3.9

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality None

Integrity High

Availability None

Threat Intelligence

No active exploitation signals — not in CISA KEV and no EPSS score yet.

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 1

CWE-284

Affected Products 5

Vendor	Product	Version	Range
mendix	mendix	*	≥7.0.0 – <7.32.31
mendix	mendix	*	≥8.0.0 – <8.18.18
mendix	mendix	*	≥9.6.0 – <9.6.12
mendix	mendix	*	≥9.12.0 – <9.12.2
mendix	mendix	*	≥9.13.0 – <9.14.0

References 1

cert-portal.siemens.com https://cert-portal.siemens.com/productcert/pdf/ssa-433782.pdf

PatchVendor Advisory

Remediation

cert-portal.siemens.com https://cert-portal.siemens.com/productcert/pdf/ssa-433782.pdf

PatchVendor Advisory