Full Report
The Mendix Forgot Password module contains a user enumeration vulnerability that could allow an attacker to retrieve valid users. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: User Enumeration in Mendix Forgot Password Module
## CVE Details
- **CVE ID:** CVE-2023-43623
- **CVSS Score:** 5.3 (Medium)
- **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- **CWE:** CWE-203 (Observable Discrepancy)
## Affected Systems
- **Products:** Mendix Forgot Password Module
- **Versions:**
- Mendix 7 compatible versions: All < V3.7.3
- Mendix 8 compatible versions: All < V4.1.3
- Mendix 9 compatible versions: All < V5.4.0
- Mendix 10 compatible versions: All < V5.4.0
- **Configurations:** Applications utilizing the "Forgot Password" module for user self-registration or password resets.
## Vulnerability Description
The Mendix Forgot Password module fails to provide uniform response messages or timing when handling password reset requests. Because the application provides distinguishable responses (Observable Discrepancies) based on whether a username or email address is valid within the system, it allows for user enumeration.
## Exploitation
- **Status:** Proof of Concept (PoC) available (Based on CVSS exploitability sub-score "E:P")
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Low (Information disclosure regarding the existence of user accounts)
- **Integrity:** None
- **Availability:** None
- **Note:** While the direct impact is low, successful user enumeration significantly facilitates secondary attacks, such as targeted credential stuffing or brute-force attempts.
## Remediation
### Patches
Siemens recommends updating the module to the following versions via the Mendix Marketplace:
- **Mendix 7 compatible:** Update to V3.7.3 or later
- **Mendix 8 compatible:** Update to V4.1.3 or later
- **Mendix 9 & 10 compatible:** Update to V5.4.0 or later
### Workarounds
No specific software workarounds were provided. Siemens recommends following "General Security Recommendations" including protecting network access with appropriate mechanisms and configuring environments according to Siemens' operational guidelines.
## Detection
- **Indicators of Compromise:** Unusual volumes of POST requests to the password reset endpoint from a single source, specifically targeting varying usernames or email addresses.
- **Detection methods:** Review application logs for patterns indicative of automated scanning on the forgot password functionality. Implement rate limiting to detect and block rapid enumeration attempts.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-295483[.]html
- **Mendix Marketplace:** hxxps://marketplace[.]mendix[.]com/link/component/1296
- **Siemens Industrial Security Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security