OTPulse
FeedAboutContact

Vulnerability in Mendix Forgot Password Appstore module

Act Now9.1SSA-134279Mar 8, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The Mendix Forgot Password Appstore module (versions 3.3.0 through 3.5.0 and Mendix 7 compatible versions before 3.2.2) contains vulnerabilities in password reset validation that allow unauthorized users to reset arbitrary account passwords without credentials. An attacker can exploit this to gain unauthorized access to accounts in affected applications. Siemens and Mitsubishi Electric have identified use of this module in their products.

What this means
What could happen
An attacker with no credentials could reset passwords and take over user accounts in Mendix-based applications that use the vulnerable Forgot Password module. This could compromise control system access if the application manages SCADA or industrial process systems.
Who's at risk
Utilities and municipalities using Mendix-based applications for SCADA, HMI, engineering workstations, or process management systems should assess their use of the Mendix Forgot Password Appstore module. This affects any web-based control system interface built on Mendix that relies on this module for user authentication.
How it could be exploited
An attacker sends a specially crafted password reset request to the Mendix application's forgot password endpoint. The vulnerable module fails to properly validate the reset mechanism, allowing the attacker to reset any user's password and gain account access without knowing the original credentials.
Prerequisites
  • Network access to the Mendix application's web interface
  • The application must be using the vulnerable Mendix Forgot Password Appstore module
  • No credentials required to initiate password reset
Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS (9.1)Affects access control to OT systemsAccount takeover capability
Exploitability
Moderate exploit probability (EPSS 1.6%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Mendix Forgot Password Appstore module≥ V3.3.0 < V3.5.13.5.1
Mendix Forgot Password Appstore module (Mendix 7 compatible)< V3.2.23.2.2
Remediation & Mitigation
0/2
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

Mendix Forgot Password Appstore module
HOTFIXUpdate Mendix Forgot Password Appstore module to version 3.5.1 or later (for V3.3.0 and newer)
HOTFIXUpdate Mendix Forgot Password Appstore module to version 3.2.2 or later (for Mendix 7 compatible versions)
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/9c76bffc-ac7f-4cf3-83e2-b951a31ec5fc
Vulnerability in Mendix Forgot Password Appstore module | CVSS 9.1 - OTPulse