CVE-2025-30280

A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.21.0), Mendix Runtime V10.12 (All versions < V10.12.16), Mendix Runtime V10.18 (All versions < V10.18.5), Mendix Runtime V10.6 (All versions < V10.6.22), Mendix Runtime V8 (All versions), Mendix Runtime V9 (All versions < V9.24.34). Affected applications allow for entity enumeration due to distinguishable responses in certain client actions. This could allow an unauthenticated remote attacker to list all valid entities and attribute names of a Mendix Runtime-based application.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cert-portal.siemens.com/productcert/html/ssa-874353.html

Configurations

No configuration.

History

14 Apr 2025, 08:15

Type	Values Removed	Values Added
Summary	(en) A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.21.0), Mendix Runtime V10.12 (All versions), Mendix Runtime V10.18 (All versions < V10.18.5), Mendix Runtime V10.6 (All versions), Mendix Runtime V8 (All versions), Mendix Runtime V9 (All versions < V9.24.34). Affected applications allow for entity enumeration due to distinguishable responses in certain client actions. This could allow an unauthenticated remote attacker to list all valid entities and attribute names of a Mendix Runtime-based application.	(en) A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.21.0), Mendix Runtime V10.12 (All versions < V10.12.16), Mendix Runtime V10.18 (All versions < V10.18.5), Mendix Runtime V10.6 (All versions < V10.6.22), Mendix Runtime V8 (All versions), Mendix Runtime V9 (All versions < V9.24.34). Affected applications allow for entity enumeration due to distinguishable responses in certain client actions. This could allow an unauthenticated remote attacker to list all valid entities and attribute names of a Mendix Runtime-based application.

10 Apr 2025, 09:15

Type	Values Removed	Values Added
Summary	(en) A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.21.0), Mendix Runtime V10.12 (All versions), Mendix Runtime V10.18 (All versions), Mendix Runtime V10.6 (All versions), Mendix Runtime V8 (All versions), Mendix Runtime V9 (All versions < V9.24.34). Affected applications allow for entity enumeration due to distinguishable responses in certain client actions. This could allow an unauthenticated remote attacker to list all valid entities and attribute names of a Mendix Runtime-based application.	(en) A vulnerability has been identified in Mendix Runtime V10 (All versions < V10.21.0), Mendix Runtime V10.12 (All versions), Mendix Runtime V10.18 (All versions < V10.18.5), Mendix Runtime V10.6 (All versions), Mendix Runtime V8 (All versions), Mendix Runtime V9 (All versions < V9.24.34). Affected applications allow for entity enumeration due to distinguishable responses in certain client actions. This could allow an unauthenticated remote attacker to list all valid entities and attribute names of a Mendix Runtime-based application.

08 Apr 2025, 18:13

Type	Values Removed	Values Added
Summary		(es) Se ha identificado una vulnerabilidad en Mendix Runtime V10 (todas las versiones anteriores a la V10.21.0), Mendix Runtime V10.12 (todas las versiones), Mendix Runtime V10.18 (todas las versiones), Mendix Runtime V10.6 (todas las versiones), Mendix Runtime V8 (todas las versiones) y Mendix Runtime V9 (todas las versiones anteriores a la V9.24.34). Las aplicaciones afectadas permiten la enumeración de entidades debido a respuestas distinguibles en ciertas acciones del cliente. Esto podría permitir que un atacante remoto no autenticado liste todas las entidades y nombres de atributos válidos de una aplicación basada en Mendix Runtime.

08 Apr 2025, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-08 09:15

Updated : 2025-04-14 08:15

NVD link : CVE-2025-30280

Mitre link : CVE-2025-30280

CVE.ORG link : CVE-2025-30280

JSON object : View

Products Affected

No product.

CWE

CWE-204

Observable Response Discrepancy

5.3 /10