Devexpress

devexpress

9 CVEs • 4 products

Products (4)

Click to collapse

Toggle

Aspxfilemanager Control For Webforms And Mvc

aspxfilemanager_control_for_webforms_and_mvc

Ajax Control Toolkit

ajax_control_toolkit

Asp.net Web Forms Controls

asp.net_web_forms_controls

CVEs (9)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-35817 1Devexpress 1Devexpress Jun 5, 2025 Apr 28, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 DevExpress before 23.1.3 allows AsyncDownloader SSRF.
CVE-2023-35816 1Devexpress 1Devexpress Jun 5, 2025 Apr 28, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 DevExpress before 23.1.3 allows arbitrary TypeConverter conversion.
CVE-2023-35815 1Devexpress 1Devexpress Jun 5, 2025 Apr 28, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 DevExpress before 23.1.3 has a data-source protection mechanism bypass during deserialization on XML data.
CVE-2023-35814 1Devexpress 1Devexpress Jun 5, 2025 Apr 28, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 DevExpress before 23.1.3 does not properly protect XtraReport serialized data in ASP.NET web forms.
CVE-2022-41479 1Devexpress 1Asp.net Web Forms Controls May 15, 2025 Oct 18, 2022 N/A· v4 7.5 HIGH· v3 N/A· v2 The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object...Show more The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) vulnerability which allows attackers to access the application source code. NOTE: the vendor disputes this because the retrieved source code is only the DevExpress client-side application code that is, of course, intentionally readable by web browsers (a site's custom code and data is never accessible via an IDOR approach).Show less
CVE-2022-28684 1Devexpress 1Devexpress Nov 21, 2024 Aug 3, 2022 N/A· v4 8.8 HIGH· v3 N/A· v2 This vulnerability allows remote attackers to execute arbitrary code on affected installations of DevExpress. Authentication is required to exploit this vulnerability. The specific flaw exists within the SafeBinaryFormat...Show more This vulnerability allows remote attackers to execute arbitrary code on affected installations of DevExpress. Authentication is required to exploit this vulnerability. The specific flaw exists within the SafeBinaryFormatter library. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-16710.Show less
CVE-2021-36483 1Devexpress 1Devexpress Nov 21, 2024 Aug 4, 2021 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 DevExpress.XtraReports.UI through v21.1 allows attackers to execute arbitrary code via insecure deserialization.
CVE-2015-4670 1Devexpress 1Ajax Control Toolkit May 6, 2026 Aug 18, 2015 N/A· v4 N/A· v3 6.4 MEDIUM· v2 Directory traversal vulnerability in the AjaxFileUpload control in DevExpress AJAX Control Toolkit (aka AjaxControlToolkit) before 15.1 allows remote attackers to write to arbitrary files via a .. (dot dot) in the fileId...Show more Directory traversal vulnerability in the AjaxFileUpload control in DevExpress AJAX Control Toolkit (aka AjaxControlToolkit) before 15.1 allows remote attackers to write to arbitrary files via a .. (dot dot) in the fileId parameter to AjaxFileUploadHandler.axd.Show less
CVE-2014-2575 1Devexpress 1Aspxfilemanager Control For Webforms And Mvc May 6, 2026 Jun 6, 2014 N/A· v4 N/A· v3 6.5 MEDIUM· v2 Directory traversal vulnerability in the File Manager component in DevExpress ASPxFileManager Control for ASP.NET WebForms and MVC before 13.1.10 and 13.2.x before 13.2.9 allows remote authenticated users to read or writ...Show more Directory traversal vulnerability in the File Manager component in DevExpress ASPxFileManager Control for ASP.NET WebForms and MVC before 13.1.10 and 13.2.x before 13.2.9 allows remote authenticated users to read or write arbitrary files via a .. (dot dot) in the __EVENTARGUMENT parameter.Show less