Information Disclosure Vulnerability in Mendix Excel Importer Module
Monitor4.3SSA-854248May 11, 2021
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
The Mendix Excel Importer module contains an information disclosure vulnerability (CWE-209) that allows authenticated users to access sensitive data. The vulnerability has been resolved in version 9.0.3.
What this means
What could happen
An authenticated attacker could view sensitive information from Excel import operations or system files that should not be accessible. This is a low-severity information disclosure with limited impact on physical operations.
Who's at risk
Organizations using Siemens Mendix platform with the Excel Importer module for data import workflows should prioritize this update. This affects primarily business application environments and supervisory systems that rely on Excel integration for configuration or data management.
How it could be exploited
An attacker with valid application credentials could trigger the Excel Importer module to disclose sensitive data through error messages or improperly restricted file access. This requires network access to the Mendix application and authenticated login.
Prerequisites
- Valid credentials to the Mendix application
- Network access to the affected Mendix application
- Excel Importer module installed and in use
requires authenticationinformation disclosure onlylow EPSS score
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
Mendix Excel Importer Module< V9.0.39.0.3
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate Mendix Excel Importer module to version 9.0.3 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/94cc0cbb-0720-40d5-8130-2e0d1d23319d