CVE-2022-41479 — HIGH (7.5)

Vulnerability Description

The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) vulnerability which allows attackers to access the application source code. NOTE: the vendor disputes this because the retrieved source code is only the DevExpress client-side application code that is, of course, intentionally readable by web browsers (a site's custom code and data is never accessible via an IDOR approach).

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Devexpress	Asp.Net Web Forms Controls	19.2.3

Related Weaknesses (CWE)

CWE-639

References

https://github.com/IthacaLabs/DevExpress/tree/main/ASP.NET_Web_Forms_Build_19.2.ExploitThird Party Advisory
https://supportcenter.devexpress.com/ticket/details/t1171808/penetration-test-id
https://supportcenter.devexpress.com/ticket/details/t190349/false-positive-vulne
https://github.com/IthacaLabs/DevExpress/tree/main/ASP.NET_Web_Forms_Build_19.2.ExploitThird Party Advisory

FAQ

What is CVE-2022-41479?

CVE-2022-41479 is a vulnerability with a CVSS score of 7.5 (HIGH). The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Ins...

How severe is CVE-2022-41479?

CVE-2022-41479 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-41479?

Check the references section above for vendor advisories and patch information. Affected products include: Devexpress Asp.Net Web Forms Controls.