#VU91991 Improper Privilege Management in Mendix Applications using Mendix 9 and Mendix Applications using Mendix 10 - CVE-2024-33500

Cybersecurity Help s.r.o.

Published: 2024-06-12

Vulnerability identifier: #VU91991

Vulnerability risk: Low

CVSSv4.0: 4.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-33500

CWE-ID: CWE-269

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Mendix Applications using Mendix 9
Client/Desktop applications / Other client software
Mendix Applications using Mendix 10
Client/Desktop applications / Other client software

Vendor: Siemens

Description

The vulnerability allows a remote user to escalate privileges.

The vulnerability exists due to improper privilege management. A remote administrator with the capability to manage a role can elevate the access rights of users with that role.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Mendix Applications using Mendix 9: 9.3.0

Mendix Applications using Mendix 10: before 10.6.9

External links
https://cert-portal.siemens.com/productcert/html/ssa-540640.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper Privilege Management in Siemens Mendix Runtime