Observable Response Discrepancy in Mendix Forgot Password Module
Monitor5.3SSA-699404Apr 11, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The Mendix Forgot Password module contains an observable response discrepancy vulnerability that allows attackers to enumerate valid user accounts without authentication. Specifically, the password reset endpoint returns different responses based on whether an email address exists in the system, enabling attackers to identify valid usernames and email addresses through information disclosure. Siemens has released patched versions for Mendix 7, 8, and 9 compatible modules.
What this means
What could happen
An attacker could identify valid user email addresses or account usernames by observing differences in password reset response messages, potentially enabling targeted phishing or account enumeration attacks against your operational technology users.
Who's at risk
Organizations using Siemens or Mitsubishi Electric platforms built on Mendix (versions 7, 8, or 9) that include the Forgot Password module for user authentication. This affects any web-based engineering portal, SCADA dashboard, or administrative interface using the affected Mendix versions.
How it could be exploited
An attacker sends password reset requests to the Mendix-based application with various email addresses or usernames. By observing the response timing or message differences, they can determine which accounts exist in the system without needing valid credentials, then use that list for targeted attacks against your OT staff.
Prerequisites
- Network access to the Mendix application's forgot password endpoint
- No credentials required - the password reset function is unauthenticated
remotely exploitableno authentication requiredlow complexityaccount enumeration enabled
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
Mendix Forgot Password (Mendix 7 compatible)< V3.7.13.7.1
Mendix Forgot Password (Mendix 8 compatible)< V4.1.14.1.1
Mendix Forgot Password (Mendix 9 compatible)< V5.1.15.1.1
Remediation & Mitigation
0/3
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
Mendix Forgot Password (Mendix 7 compatible)
HOTFIXUpdate Mendix Forgot Password (Mendix 7 compatible) module to version 3.7.1 or later
Mendix Forgot Password (Mendix 8 compatible)
HOTFIXUpdate Mendix Forgot Password (Mendix 8 compatible) module to version 4.1.1 or later
Mendix Forgot Password (Mendix 9 compatible)
HOTFIXUpdate Mendix Forgot Password (Mendix 9 compatible) module to version 5.1.1 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f1951cbe-c0a2-45e8-a3ad-89f9902df8c5