CVE-2022-41479

Published: Oct 18, 2022Modified: May 15, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) vulnerability which allows attackers to access the application source code. NOTE: the vendor disputes this because the retrieved source code is only the DevExpress client-side application code that is, of course, intentionally readable by web browsers (a site's custom code and data is never accessible via an IDOR approach).

Affected (1)

Products: Devexpress: Asp.net Web Forms Controls

1 product

Asp.net Web Forms Controls

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Devexpress Asp.net Web Forms Controls	Version 19.2.3

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (4)

https://github.com/IthacaLabs/DevExpress/tree/main/ASP.NET_Web_Forms_Build_19.2.3

Source: cve@mitre.org

ExploitThird Party Advisory

https://supportcenter.devexpress.com/ticket/details/t1171808/penetration-test-idor-source-code-cve-2022-41479

Source: cve@mitre.org

https://supportcenter.devexpress.com/ticket/details/t190349/false-positive-vulnerabilities-known-alerts-detected-by-various-security-scanners-and

Source: cve@mitre.org

https://github.com/IthacaLabs/DevExpress/tree/main/ASP.NET_Web_Forms_Build_19.2.3

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.