OTPulse
FeedAboutContact

XML Entity Expansion Injection Vulnerability in Mendix Excel Importer Module

Monitor6.5SSA-610768Jul 12, 2022
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

The Mendix Excel Importer module contains an XML Entity Expansion (XXE) injection vulnerability that allows authenticated attackers to trigger a denial of service condition by uploading malicious Excel files. When processed, the XML parser expands malicious entities recursively, consuming system memory and causing application unavailability. The vulnerability affects Mendix 8 compatible versions before 9.2.2 and Mendix 9 compatible versions before 10.1.2.

What this means
What could happen
An attacker with valid application credentials could upload a malicious Excel file to trigger an XML expansion attack, consuming system memory and causing the application to become unresponsive or crash, disrupting business processes that rely on Excel imports.
Who's at risk
Organizations using Mendix applications with the Excel Importer module for data integration, particularly those in utilities, manufacturing, and any sector that processes bulk operational data through Excel uploads. This affects any Mendix 8 or Mendix 9 compatible applications that import Excel files as part of their operational workflow.
How it could be exploited
An attacker with access to the Mendix application uploads a specially crafted Excel file containing malicious XML entities (XXE attack). When the Excel Importer module processes the file, the XML parser expands these entities recursively, exhausting system memory and causing a denial of service condition.
Prerequisites
  • Valid application user credentials to access the Excel import function
  • Network access to the Mendix application
  • The application must have the vulnerable Excel Importer module enabled for file uploads
Requires valid credentials (reduces immediate risk)Low exploit complexityNetwork accessibleAvailability impact (denial of service)
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Mendix Excel Importer Module (Mendix 8 compatible)< V9.2.29.2.2
Mendix Excel Importer Module (Mendix 9 compatible)< V10.1.210.1.2
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDMonitor and restrict the size of uploaded Excel files to prevent memory exhaustion attacks
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

Mendix Excel Importer Module (Mendix 8 compatible)
HOTFIXUpdate Mendix Excel Importer Module (Mendix 8 compatible) to version 9.2.2 or later
Mendix Excel Importer Module (Mendix 9 compatible)
HOTFIXUpdate Mendix Excel Importer Module (Mendix 9 compatible) to version 10.1.2 or later
Long-term hardening
0/1
HARDENINGRestrict Excel import functionality to authorized users only and implement file validation controls
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/67807f3c-ae29-46ec-8f9e-a712dfcd4ac9
XML Entity Expansion Injection Vulnerability in Mendix Excel Importer Module | CVSS 6.5 - OTPulse