CVE-2022-41479

The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) vulnerability which allows attackers to access the application source code. NOTE: the vendor disputes this because the retrieved source code is only the DevExpress client-side application code that is, of course, intentionally readable by web browsers (a site's custom code and data is never accessible via an IDOR approach).
Configurations

Configuration 1 (hide)

cpe:2.3:a:devexpress:asp.net_web_forms_controls:19.2.3:*:*:*:*:*:*:*

History

21 Nov 2024, 07:23

Type Values Removed Values Added
References () https://github.com/IthacaLabs/DevExpress/tree/main/ASP.NET_Web_Forms_Build_19.2.3 - Exploit, Third Party Advisory () https://github.com/IthacaLabs/DevExpress/tree/main/ASP.NET_Web_Forms_Build_19.2.3 - Exploit, Third Party Advisory

02 Aug 2024, 20:15

Type Values Removed Values Added
References
  • () https://supportcenter.devexpress.com/ticket/details/t1171808/penetration-test-idor-source-code-cve-2022-41479 -
  • () https://supportcenter.devexpress.com/ticket/details/t190349/false-positive-vulnerabilities-known-alerts-detected-by-various-security-scanners-and -
Summary (en) The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) vulnerability which allows attackers to access the application source code. (en) The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) vulnerability which allows attackers to access the application source code. NOTE: the vendor disputes this because the retrieved source code is only the DevExpress client-side application code that is, of course, intentionally readable by web browsers (a site's custom code and data is never accessible via an IDOR approach).

Information

Published : 2022-10-18 14:15

Updated : 2024-11-21 07:23


NVD link : CVE-2022-41479

Mitre link : CVE-2022-41479

CVE.ORG link : CVE-2022-41479


JSON object : View

Products Affected

devexpress

  • asp.net_web_forms_controls
CWE
CWE-639

Authorization Bypass Through User-Controlled Key