Merge pull request #9336 from mendix/MvM-CVE-2025-30280

Add CVE-2025-30280 to Security Advisories

Author: MarkvanMents

Diff for: content/en/docs/releasenotes/security-advisories/_index.md

@@ -20,8 +20,9 @@ Siemens publishes their common vulnerabilities and exposures (CVE) on the second
 
 | CVE ID | CVSS v3.1 Base Score | Siemens Security Advisory (SSA) Description | Notes |
 | --- | --- | ---  | --- |
-| CVE 2024-50313 | 5.3 | [Race Condition Vulnerability in Basic Authentication Implementation of Mendix Runtime](https://cert-portal.siemens.com/productcert/html/ssa-914892.html) | See the SSA description for remediation details. |
-| CVE-2024-56841 | 7.4 | [LDAP Injection Vulnerability in Mendix LDAP Module](https://cert-portal.siemens.com/productcert/html/ssa-314390.html) | See the SSA description for remediation details. |
+| <a id="30280">CVE-2025-30280 | 5.3 | [Entity Enumeration Vulnerability in Mendix Runtime](https://cert-portal.siemens.com/productcert/html/ssa-874353.html) | See the SSA description for remediation details. |
+| <a id="50313">CVE-2024-50313 | 5.3 | [Race Condition Vulnerability in Basic Authentication Implementation of Mendix Runtime](https://cert-portal.siemens.com/productcert/html/ssa-914892.html) | See the SSA description for remediation details. |
+| <a id="56841">CVE-2024-56841 | 7.4 | [LDAP Injection Vulnerability in Mendix LDAP Module](https://cert-portal.siemens.com/productcert/html/ssa-314390.html) | See the SSA description for remediation details. |
 |  <a id="39888"></a>CVE-2024-39888 | 7.5 | [Hard-coded Default Encryption Key in Mendix Encryption Module v10.0.0 and v10.0.1](https://cert-portal.siemens.com/productcert/html/ssa-998949.html)  | See the SSA description for remediation details. |
 |  <a id="33500"></a>CVE-2024-33500 | 5.9 | [Improper Privilege Management Vulnerability in Mendix Runtime](https://cert-portal.siemens.com/productcert/html/ssa-540640.html)  | See the SSA description for remediation details. |
 |  <a id="49069"></a>CVE-2023-49069 | 5.3 | [Usernames Disclosure Vulnerability in Mendix Runtime](https://cert-portal.siemens.com/productcert/html/ssa-097435.html)  | See the SSA description for remediation details. |

Diff for: content/en/docs/releasenotes/studio-pro/10/10.21.md

@@ -161,6 +161,7 @@ This improvement simplifies widget code. Widget developers no longer need to set
 * We have fixed an issue where applications using the React client got cached incorrectly causing new deployments to work incorrectly.
 * We fixed an issue where a false positive warning for unreplaceable usages was triggered when converting between nanoflows and microflows.
 * We removed the border inside the **New features** tab page in the **Preferences** dialog box.
+* We fixed [CVE-2025-30280](/releasenotes/security-advisories/#30280).
 
 ### Deprecations
 

Diff for: content/en/docs/releasenotes/studio-pro/9/9.24.md

@@ -19,51 +19,53 @@ This is the [LTS](/releasenotes/studio-pro/lts-mts/#lts) version 9 release for a
 
 ### New Features
 
-- We added custom runtime setting `TrackUserLastLoginForODataAndREST` (default: `true`). Setting it to `false` causes the runtime to not update the `LastLogin` attribute of users accessing published OData and REST services. (In Studio Pro 10, `TrackWebServiceUserLastLogin` has this effect.)
-- We introduced a new feature that allows users to provide feedback on their experience with Studio Pro through a periodic pop-up survey. This feedback is valuable for the Mendix team to understand user needs and improve the product. For more information, see [Feedback Survey](/refguide9/feedback-survey/).
+* We added custom runtime setting `TrackUserLastLoginForODataAndREST` (default: `true`). Setting it to `false` causes the runtime to not update the `LastLogin` attribute of users accessing published OData and REST services. (In Studio Pro 10, `TrackWebServiceUserLastLogin` has this effect.)
+* We introduced a new feature that allows users to provide feedback on their experience with Studio Pro through a periodic pop-up survey. This feedback is valuable for the Mendix team to understand user needs and improve the product. For more information, see [Feedback Survey](/refguide9/feedback-survey/).
 
 ### Improvements
 
-- We made the offline server calls more resilient by adding an automatic retry in case of connection errors. This is done for all offline-related independent calls, except when calling a microflow. For calling a microflow, you can capture the connection error in a nanoflow and build retry logic around that when necessary. (Ticket 224494)
-- We improved deployment speed for non-progressive web applications.
-- Studio Pro is now based on a .NET 8 instead of .NET 6. Therefore, .NET 8 is a new prerequisite for the application. For more information, see [System Requirements](/refguide9/system-requirements/).
-- We made the administration of running application nodes more stable and improved the logging in this area. This makes the execution of tasks from the queue more reliable.
-- We now include Java 21 instead of Java 11 in the installer.
-- New apps will now use Java 21 by default.
-- We updated the bundled JDK to version 21.0.5.11.
+* We made the offline server calls more resilient by adding an automatic retry in case of connection errors. This is done for all offline-related independent calls, except when calling a microflow. For calling a microflow, you can capture the connection error in a nanoflow and build retry logic around that when necessary. (Ticket 224494)
+* We improved deployment speed for non-progressive web applications.
+* Studio Pro is now based on a .NET 8 instead of .NET 6. Therefore, .NET 8 is a new prerequisite for the application. For more information, see [System Requirements](/refguide9/system-requirements/).
+* We made the administration of running application nodes more stable and improved the logging in this area. This makes the execution of tasks from the queue more reliable.
+* We now include Java 21 instead of Java 11 in the installer.
+* New apps will now use Java 21 by default.
+* We updated the bundled JDK to version 21.0.5.11.
 
 ### Fixes
 
-- We fixed an issue that controls in pop-up dialogs sometimes did not resize correctly when the dialog was resized. (Ticket 238211)
-- We decreased the chance for database transaction deadlocks when updating the **LastActive** attribute for System.Session instances. (Ticket 240094)
-- We changed when we send back hash updates for object changes. This should solve the hash conflict errors when running flows in parallel with a microflow that both Read/Write the same object. (Tickets 240118, 240696, 241168)
-- We resolved a potential crash when working with the clipboard in Studio Pro. (Ticket 240122)
-- We fixed an issue in a data grid with the **Select all** button and pagination set to **Yes (without total count)**, where calling a microflow action resulted in a **No selection available** pop-up error. (Ticket 241513)
-- We fixed the navigation profile selection. When using an iPad, it will now correctly use the tablet navigation profile if available. (Ticket 241824)
-- We upgraded the Netty dependency to 4.1.118. (Ticket 242071)
-- We improved the stability of Studio Pro when debugging nanoflows.
-- We fixed an issue where updating the metadata of a consumed OData service where one of the consumed entities did not exist anymore showed an exception.
-- We install the dotnet runtime x64 on Arm64 computers again, since the Console tools still requires the x64 in this Studio Pro version. We had previously stopped including it, which was the cause of the issue.
-- We fixed an error that occurred when using keyboard navigation in a tree control.
-- We fixed an issue in consumed OData services where the HTTP response from downloading metadata from a URL was not cleaned up correctly.
-- We resolved a potential crash during startup or shutdown of Studio Pro.
-- We fixed an issue where an **Oops** pop-up window was shown when extracting widgets that use an `unknown` entity type in a snippet.
-- We modified how runtime reports errors when a non-existing entity used when instantiating or querying objects.
-- We fixed an issue where attempting to convert a nanoflow or a microflow in the System module resulted in an error. This option is now disabled for the System module.
-- We fixed an issue with updating module roles in the **Module Security** dialog box. The issue occurred after moving a document between modules.
+* We fixed an issue that controls in pop-up dialogs sometimes did not resize correctly when the dialog was resized. (Ticket 238211)
+* We decreased the chance for database transaction deadlocks when updating the **LastActive** attribute for System.Session instances. (Ticket 240094)
+* We changed when we send back hash updates for object changes. This should solve the hash conflict errors when running flows in parallel with a microflow that both Read/Write the same object. (Tickets 240118, 240696, 241168)
+* We resolved a potential crash when working with the clipboard in Studio Pro. (Ticket 240122)
+* We fixed an issue in a data grid with the **Select all** button and pagination set to **Yes (without total count)**, where calling a microflow action resulted in a **No selection available** pop-up error. (Ticket 241513)
+* We fixed the navigation profile selection. When using an iPad, it will now correctly use the tablet navigation profile if available. (Ticket 241824)
+* We upgraded the Netty dependency to 4.1.118. (Ticket 242071)
+* We improved the stability of Studio Pro when debugging nanoflows.
+* We fixed an issue where updating the metadata of a consumed OData service where one of the consumed entities did not exist anymore showed an exception.
+* We install the dotnet runtime x64 on Arm64 computers again, since the Console tools still requires the x64 in this Studio Pro version. We had previously stopped including it, which was the cause of the issue.
+* We fixed an error that occurred when using keyboard navigation in a tree control.
+* We fixed an issue in consumed OData services where the HTTP response from downloading metadata from a URL was not cleaned up correctly.
+* We resolved a potential crash during startup or shutdown of Studio Pro.
+* We fixed an issue where an **Oops** pop-up window was shown when extracting widgets that use an `unknown` entity type in a snippet.
+* We modified how runtime reports errors when a non-existing entity used when instantiating or querying objects.
+* We fixed an issue where attempting to convert a nanoflow or a microflow in the System module resulted in an error. This option is now disabled for the System module.
+* We fixed an issue with updating module roles in the **Module Security** dialog box. The issue occurred after moving a document between modules.
+
+* We fixed [CVE-2025-30280](/releasenotes/security-advisories/#30280).
 
 ### Deprecations
 
-- We deprecated Java 11 and 17. These versions will not be supported in Studio Pro 10.21 and above. We recommend to update to Java 21 before migrating to Mendix 10.
+* We deprecated Java 11 and 17. These versions will not be supported in Studio Pro 10.21 and above. We recommend to update to Java 21 before migrating to Mendix 10.
 
 ### Breaking Changes
 
-- We removed the `PhoneUserAgentRegEx` and `TabletUserAgentRegEx` custom runtime settings as today user agents are no longer enough to identify the type of device. We moved the device type detection to the client which can use more than just the user agent to determine the type of device. 
+* We removed the `PhoneUserAgentRegEx` and `TabletUserAgentRegEx` custom runtime settings as today user agents are no longer enough to identify the type of device. We moved the device type detection to the client which can use more than just the user agent to determine the type of device. 
 
 ### Known Issues
 
 * Line endings in CSS files are not being handled properly, so when using [Revert All Changes](/refguide9/using-version-control-in-studio-pro/) or performing other version-control operations, CSS files appear in the [Changes on Disk](/refguide9/version-control-menu/#show-changes) dialog box.
-  * Workaround: For details, see [this section](/refguide9/troubleshoot-git-issues/#css-error) in *Troubleshooting Version Control*.
+    * Workaround: For details, see [this section](/refguide9/troubleshoot-git-issues/#css-error) in *Troubleshooting Version Control*.
 
 ## 9.24.33 {#92433}