The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) vulnerability which allows attackers to access the application source code. NOTE: the vendor disputes this because the retrieved source code is only the DevExpress client-side application code that is, of course, intentionally readable by web browsers (a site's custom code and data is never accessible via an IDOR approach).
References
Configurations
History
21 Nov 2024, 07:23
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/IthacaLabs/DevExpress/tree/main/ASP.NET_Web_Forms_Build_19.2.3 - Exploit, Third Party Advisory |
02 Aug 2024, 20:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary | (en) The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) vulnerability which allows attackers to access the application source code. NOTE: the vendor disputes this because the retrieved source code is only the DevExpress client-side application code that is, of course, intentionally readable by web browsers (a site's custom code and data is never accessible via an IDOR approach). |
Information
Published : 2022-10-18 14:15
Updated : 2024-11-21 07:23
NVD link : CVE-2022-41479
Mitre link : CVE-2022-41479
CVE.ORG link : CVE-2022-41479
JSON object : View
Products Affected
devexpress
- asp.net_web_forms_controls
CWE
CWE-639
Authorization Bypass Through User-Controlled Key