Vulnerabilities > CVE-2022-26314 - Improper Restriction of Excessive Authentication Attempts vulnerability in Mendix Forgot Password

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

mendix

CWE-307

critical

NVD

Published: 2022-03-08

Updated: 2022-03-11

Summary

A vulnerability has been identified in Mendix Forgot Password Appstore module (All versions >= V3.3.0 < V3.5.1), Mendix Forgot Password Appstore module (Mendix 7 compatible) (All versions < V3.2.2). Initial passwords are generated in an insecure manner. This could allow an unauthenticated remote attacker to efficiently brute force passwords in specific situations.

Vulnerable Configurations

Part	Description	Count
Application	Mendix Mendix Forgot Password 3.3.0 Mendix Forgot Password 3.3.2 Mendix Forgot Password 3.4.0 Mendix Forgot Password - Mendix Forgot Password 2.0.0 Mendix Forgot Password 3.0.0 Mendix Forgot Password 3.1.0 Mendix Forgot Password 3.2.0 Mendix Forgot Password 3.2.1	9

Common Weakness Enumeration (CWE)

CWE-307 - Improper Restriction of Excessive Authentication Attempts

References

https://cert-portal.siemens.com/productcert/pdf/ssa-134279.pdf