Verysecureapp
Monthly
Anonymous authorization bypass in Mendix Studio Pro (all versions up to 11.8.0 Beta) causes the Anonymous user role to silently follow standard user-inheritance rules, so an unauthenticated visitor can read every record in an entity even when no access rights are configured for that role. Demonstrated in DIVD's VerySecureApp (≤1.1.0), the flaw exposes entire datasets to anonymous callers whenever anonymous access is enabled to publish an entity publicly. There is no public exploit identified at time of analysis, EPSS is very low (0.04%), and it is not on CISA KEV, but SSVC rates technical impact as total and automatable.
Anonymous authorization bypass in Mendix Studio Pro (all versions up to 11.8.0 Beta) causes the Anonymous user role to silently follow standard user-inheritance rules, so an unauthenticated visitor can read every record in an entity even when no access rights are configured for that role. Demonstrated in DIVD's VerySecureApp (≤1.1.0), the flaw exposes entire datasets to anonymous callers whenever anonymous access is enabled to publish an entity publicly. There is no public exploit identified at time of analysis, EPSS is very low (0.04%), and it is not on CISA KEV, but SSVC rates technical impact as total and automatable.