CVE-2022-25650: 
Mendix vulnerability analysis and mitigation

A vulnerability has been identified in Mendix Applications affecting multiple versions: Mendix 7 (versions before V7.23.27), Mendix 8 (versions before V8.18.14), Mendix 9 (versions before V9.12.0), and Mendix 9.6 (versions before V9.6.3). The vulnerability was disclosed in April 2022 and relates to improper access control when querying databases (NVD, CISA).

The vulnerability allows authenticated users to sort database query results using protected fields, which could lead to information disclosure. The issue has been assigned CVE-2022-25650 and has received a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-284 (Improper Access Control) (NVD).

If exploited, this vulnerability could allow an authenticated attacker to extract information about the contents of protected database fields, potentially exposing sensitive data that should be restricted (CISA).

Siemens has released patches to address this vulnerability. Users are advised to update to the following versions: Mendix 7 to version 7.23.27 or later, Mendix 8 to version 8.18.14 or later, Mendix 9 to version 9.12.0 or later, or Mendix 9.6 to version 9.6.3 or later. As a general security measure, it is recommended to protect network access with appropriate mechanisms and configure the environment according to Siemens' operational guidelines for industrial security (CISA).