User Enumeration Vulnerability in Mendix Forgot Password Module
Monitor5.3SSA-295483Oct 10, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The Mendix Forgot Password module contains a user enumeration vulnerability that allows an attacker to determine which user accounts exist in a system by probing the password reset endpoint without authentication. Differences in responses reveal whether a username or email address is registered, enabling reconnaissance for targeted attacks.
What this means
What could happen
An attacker can query the Mendix Forgot Password module to discover which user accounts exist in the system, enabling targeted attacks against those users.
Who's at risk
Organizations running Siemens or Mitsubishi Electric systems that use the Mendix platform with the Forgot Password module for user authentication and account recovery. This includes manufacturing, energy, and utilities sectors where web-based administrative interfaces are used to manage industrial systems.
How it could be exploited
An attacker sends requests to the Forgot Password endpoint without authentication and observes differences in responses (e.g., response time, error messages) to determine whether a given username or email is registered in the system. This enumeration can be done remotely over the network and at scale.
Prerequisites
- Network access to the Mendix application's Forgot Password endpoint
- No credentials required
remotely exploitableno authentication requiredlow complexitydefault user enumeration vector
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
Mendix Forgot Password (Mendix 10 compatible)<V5.4.05.4.0
Mendix Forgot Password (Mendix 7 compatible)<V3.7.33.7.3
Mendix Forgot Password (Mendix 8 compatible)<V4.1.34.1.3
Mendix Forgot Password (Mendix 9 compatible)<V5.4.05.4.0
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
Mendix Forgot Password (Mendix 10 compatible)
HOTFIXUpdate Mendix Forgot Password (Mendix 10 compatible) to version 5.4.0 or later
Mendix Forgot Password (Mendix 9 compatible)
HOTFIXUpdate Mendix Forgot Password (Mendix 9 compatible) to version 5.4.0 or later
Mendix Forgot Password (Mendix 8 compatible)
HOTFIXUpdate Mendix Forgot Password (Mendix 8 compatible) to version 4.1.3 or later
Mendix Forgot Password (Mendix 7 compatible)
HOTFIXUpdate Mendix Forgot Password (Mendix 7 compatible) to version 3.7.3 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/9da75756-eefc-4f19-9478-7b60be60b798