CVE-2022-46823 - Vulnerability Details - OpenCVE

A vulnerability has been identified in Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.3.4), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.3.0 < V3.3.9), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.8). The affected module is vulnerable to reflected cross-site scripting (XSS) attacks. This could allow an attacker to extract sensitive information by tricking users into accessing a malicious link.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Mendix	Saml

Configuration 1 [-]

OR	cpe:2.3:a:mendix:saml::::::::
	cpe:2.3:a:mendix:saml::::::::

No data.

References

Link	Providers
https://cert-portal.siemens.com/productcert/pdf/ssa-496604.pdf

History

No history.

MITRE

Status: PUBLISHED

Assigner: siemens

Published: 2023-01-10T11:39:46.211Z

Updated: 2024-08-03T14:39:38.695Z

Reserved: 2022-12-08T15:19:35.234Z

Link: CVE-2022-46823

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-01-10T12:15:23.753

Modified: 2024-11-21T07:31:07.160

Link: CVE-2022-46823

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-46823", "assignerOrgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "state": "PUBLISHED", "assignerShortName": "siemens", "dateReserved": "2022-12-08T15:19:35.234Z", "datePublished": "2023-01-10T11:39:46.211Z", "dateUpdated": "2024-08-03T14:39:38.695Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "cec7a2ec-15b4-4faf-bd53-b40f371f3a77", "shortName": "siemens", "dateUpdated": "2023-01-10T11:39:46.211Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.3.4), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.3.0 < V3.3.9), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.8). The affected module is vulnerable to reflected cross-site scripting (XSS) attacks. This could allow an attacker to extract sensitive information by tricking users into accessing a malicious link."}], "affected": [{"vendor": "Siemens", "product": "Mendix SAML (Mendix 8 compatible)", "versions": [{"version": "All versions >= V2.3.0 < V2.3.4", "status": "affected"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "Mendix SAML (Mendix 9 compatible, New Track)", "versions": [{"version": "All versions >= V3.3.0 < V3.3.9", "status": "affected"}], "defaultStatus": "unknown"}, {"vendor": "Siemens", "product": "Mendix SAML (Mendix 9 compatible, Upgrade Track)", "versions": [{"version": "All versions >= V3.3.0 < V3.3.8", "status": "affected"}], "defaultStatus": "unknown"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N/E:P/RL:O/RC:C", "baseScore": 9.3, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "references": [{"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-496604.pdf"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T14:39:38.695Z"}, "title": "CVE Program Container", "references": [{"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-496604.pdf", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA388A2C-406A-4911-96EC-ACB1574B83AC", "versionEndExcluding": "2.3.4", "versionStartIncluding": "2.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mendix:saml:*:*:*:*:*:*:*:*", "matchCriteriaId": "506D83D7-350A-4586-83AE-93E56C61C5FE", "versionEndExcluding": "3.3.9", "versionStartIncluding": "3.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in Mendix SAML (Mendix 8 compatible) (All versions >= V2.3.0 < V2.3.4), Mendix SAML (Mendix 9 compatible, New Track) (All versions >= V3.3.0 < V3.3.9), Mendix SAML (Mendix 9 compatible, Upgrade Track) (All versions >= V3.3.0 < V3.3.8). The affected module is vulnerable to reflected cross-site scripting (XSS) attacks. This could allow an attacker to extract sensitive information by tricking users into accessing a malicious link."}, {"lang": "es", "value": "Se ha identificado una vulnerabilidad en Mendix SAML (compatible con Mendix 8) (Todas las versiones >= V2.3.0 < V2.3.4), Mendix SAML (compatible con Mendix 9, New Track) (Todas las versiones >= V3.3.0 < V3.3.9), Mendix SAML (compatible con Mendix 9, Upgrade Track) (Todas las versiones >= V3.3.0 < V3.3.8). El m\u00f3dulo afectado es vulnerable a ataques de cross-site scripting (XSS) reflejado. Esto podr\u00eda permitir a un atacante extraer informaci\u00f3n confidencial enga\u00f1ando a los usuarios para que accedan a un enlace malicioso."}], "id": "CVE-2022-46823", "lastModified": "2024-11-21T07:31:07.160", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "productcert@siemens.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-01-10T12:15:23.753", "references": [{"source": "productcert@siemens.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-496604.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://cert-portal.siemens.com/productcert/pdf/ssa-496604.pdf"}], "sourceIdentifier": "productcert@siemens.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "productcert@siemens.com", "type": "Secondary"}]}