OTPulse
FeedAboutContact

Improper Access Control Vulnerability in Mendix Email Connector Module

Plan Patch8.1SSA-224632Dec 13, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

The Mendix Email Connector module improperly handles access control for module entities. This allows authenticated remote attackers to read and manipulate sensitive information without proper authorization checks.

What this means
What could happen
An attacker with valid credentials could read and modify email configuration and sensitive data within applications using the Mendix Email Connector, potentially gaining access to email credentials or altering email routing and notifications critical to operations.
Who's at risk
Organizations using Mendix Email Connector in applications that handle sensitive email configurations, alerts, or notifications—including utility SCADA systems, historian interfaces, and operational reporting platforms that rely on email for notifications to control room operators.
How it could be exploited
An attacker with valid credentials to the Mendix application accesses the Email Connector module entities and exploits improper access controls to read sensitive configuration data (such as email credentials) or manipulate email settings without authorization.
Prerequisites
  • Valid credentials for the Mendix application
  • Network access to the Mendix application
  • The vulnerable Mendix Email Connector module (version < 2.0.0) deployed in the application
Requires valid credentials but no special privilegesRemote exploitation possible over networkLow attack complexityHigh CVSS score (8.1)Affects confidentiality and integrity
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
Mendix Email Connector< V2.0.02.0.0
Remediation & Mitigation
0/3
Do now
0/2
HARDENINGReview and restrict access to Email Connector module entities within Mendix applications to only authorized users and roles
HARDENINGAudit email configuration and credentials stored in Email Connector to identify any unauthorized access or modifications
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Mendix Email Connector to version 2.0.0 or later
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/48185934-dd85-4f5e-a043-655c043ed7db
Improper Access Control Vulnerability in Mendix Email Connector Module | CVSS 8.1 - OTPulse