OTPulse
FeedAboutContact

Cross-Site Scripting Vulnerability in Mendix Rich Text Widget

Monitor5.7SSA-190588Nov 17, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

Mendix RichText widget (versions 4.0.0 to 4.6.0) contains a cross-site scripting vulnerability in the editor. An authenticated user can inject malicious scripts into rich text fields that execute in other users' browsers when the content is viewed, potentially compromising user sessions and access to application data.

What this means
What could happen
A user with engineering credentials could inject malicious scripts into rich text fields that execute in other users' browsers, potentially compromising session data or access to sensitive process information displayed in the application.
Who's at risk
Organizations using Mendix applications for process monitoring or control systems (HMI/SCADA front-ends, data visualization dashboards) should assess if they use the RichText widget for displaying or collecting operational notes, alarm descriptions, or other user-editable text fields.
How it could be exploited
An authenticated user (engineer or operator) enters malicious JavaScript code into a Mendix RichText editor field. When another user views that content in their browser, the script executes in their session context, allowing the attacker to steal session tokens, modify displayed data, or redirect them to a malicious site.
Prerequisites
  • Valid Mendix application user credentials (engineering or operator account)
  • Access to a Mendix application using RichText widget version 4.0.0 through 4.6.0
  • A victim user must view the injected content in their browser
Requires valid user credentialsUser interaction required (victim must view injected content)Low EPSS score (0.1%)Medium severity
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Mendix RichText≥ 4.0.0, < 4.6.14.6.1
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix RichText widget to version 4.6.1 or later
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/c9214fa7-120d-4568-b42d-f37b1057fda4