CVE-2023-35816

Published: Apr 28, 2025Modified: Jun 5, 2025

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

DevExpress before 23.1.3 allows arbitrary TypeConverter conversion.

Affected (4)

Products: Devexpress: Devexpress

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Devexpress Devexpress	Before 21.2.12
Devexpress Devexpress	Version 22.1.8
Devexpress Devexpress	Version 22.2.4
Devexpress Devexpress	Version 22.2.5

Related CWEs

Relative Path Traversal

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Incorrect Type Conversion or Cast

The product does not correctly convert an object, resource, or structure from one type to a different type.

References (4)

https://code-white.com/public-vulnerability-list/

Source: cve@mitre.org

Vendor Advisory

https://supportcenter.devexpress.com/ticket/details/t1127422/insecure-arbitrary-typeconverter-conversion

Source: cve@mitre.org

Permissions Required

https://supportcenter.devexpress.com/ticket/details/t1159641/net-desktop-and-web-controls-unsafe-data-type-deserialization

Source: cve@mitre.org

Permissions Required

https://supportcenter.devexpress.com/ticket/details/t394936/devexpress-security-advisory-updated-on-april-27-2023

Source: cve@mitre.org

Permissions Required

Timeline

No history available yet.