CVE-2023-35817

Published: Apr 28, 2025Modified: Jun 5, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

DevExpress before 23.1.3 allows AsyncDownloader SSRF.

Affected (4)

Products: Devexpress: Devexpress

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Devexpress Devexpress	Before 21.2.12
Devexpress Devexpress	Version 22.1.8
Devexpress Devexpress	Version 22.2.4
Devexpress Devexpress	Version 22.2.5

Related CWEs

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (5)

https://code-white.com/public-vulnerability-list/

Source: cve@mitre.org

Vendor Advisory

https://supportcenter.devexpress.com/ticket/details/t1157209/server-side-request-forgery-via-asyncdownloader

Source: cve@mitre.org

Permissions Required

https://supportcenter.devexpress.com/ticket/details/t1161404/report-and-dashboard-server-improper-default-configuration-can-lead-to-ssrf-attacks

Source: cve@mitre.org

Permissions Required

https://supportcenter.devexpress.com/ticket/details/t1162045/reporting-bi-dashboard-office-file-api-web-app-configuration-to-help-prevent-ssrf-attacks

Source: cve@mitre.org

Permissions Required

https://supportcenter.devexpress.com/ticket/details/t394936/devexpress-security-advisory-updated-on-april-27-2023

Source: cve@mitre.org

Permissions Required

Timeline

No history available yet.