CVE-2022-26314
published 2022-03-08CVE-2022-26314: A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1), Mendix Forgot Password Appstore module (Mendix…
PriorityP258critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.44%
69.8th percentile
A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1), Mendix Forgot Password Appstore module (Mendix 7 compatible) (All versions < V3.2.2). Initial passwords are generated in an insecure manner. This could allow an unauthenticated remote attacker to efficiently brute force passwords in specific situations.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mendix | forgot_password | < 3.2.2 | 3.2.2 |
| mendix | forgot_password | >= 3.3.0 < 3.5.1 | 3.5.1 |
| siemens | mendix_forgot_password_appstore_module | — | — |
| siemens | mendix_forgot_password_appstore_module | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2022-26314 involves insecure initial password generation in the Mendix Forgot Password Appstore module, enabling unauthenticated remote brute force of passwords. Monitor for excessive authentication attempts against Mendix application login endpoints. ↗
- →No known public exploits specifically target these vulnerabilities as of the advisory date; focus detection on anomalous login volume/rate rather than known exploit signatures. ↗
- ·The brute force risk is conditional — exploitation is only efficient in 'specific situations' tied to the insecure initial password generation, not universally against all Mendix accounts. ↗
- ·Disabling the sign-up feature in Mendix is documented as a mitigation path if patching is not immediately possible. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-v94f-h6hr-hfqh: A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3
ghsa_unreviewed·2022-03-09
CVE-2022-26314 [CRITICAL] CWE-307 GHSA-v94f-h6hr-hfqh: A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3
A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1), Mendix Forgot Password Appstore module (Mendix 7 compatible) (All versions < V3.2.2). Initial passwords are generated in an insecure manner. This could allow an unauthenticated remote attacker to efficiently brute force passwords in specific situations.
CISA ICS
Siemens SINEMA Mendix Forgot Password Appstore
cisa_ics·2022-03-14·CVSS 9.8
[CRITICAL] Siemens SINEMA Mendix Forgot Password Appstore
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Siemens SINEMA Mendix Forgot Password Appstore
Last RevisedMarch 14, 2022
Alert CodeICSA-22-069-04
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.1
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: Mendix Forgot Password Appstore module
- Vulnerabilities: Improper Access Control, Improper Restriction of Excessive Authentication Attempts
## 2. RISK EVALUATION
These vulnerabilities could allow a threat actor access to arbitrary user accounts.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of Mendix Forgot Password Appstor
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-03-08
Published