#VU61235 Improper access control in Mendix Forgot Password Appstore module


Published: 2022-03-10

Vulnerability identifier: #VU61235

Vulnerability risk: High

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-26313

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mendix Forgot Password Appstore module
Other software / Other software solutions

Vendor: Siemens

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can use the sign up flow to hijack arbitrary user accounts.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mendix Forgot Password Appstore module: 3.3.0

External links
http://cert-portal.siemens.com/productcert/pdf/ssa-134279.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Siemens Mendix Forgot Password Appstore module