Strix
26.1K

CVE-2022-41479

HIGHCVSS 7.5/10EPSS 1.10%

Last modified

CVE-2022-41479 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) vulnerability which allows attackers to access the application source code. EPSS estimates a 1.10% chance of exploitation in the next 30 days.

Description

The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) vulnerability which allows attackers to access the application source code. NOTE: the vendor disputes this because the retrieved source code is only the DevExpress client-side application code that is, of course, intentionally readable by web browsers (a site's custom code and data is never accessible via an IDOR approach).

Metrics

CVSS 3.1
7.5/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Probability
1.10%

61.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
DevexpressAsp.Net Web Forms Controls19.2.3

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2022-41479?
The DevExpress Resource Handler (ASPxHttpHandlerModule) in DevExpress ASP.NET Web Forms Build v19.2.3 does not verify the referenced objects in the /DXR.axd?r= HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) vulnerability which allows attackers to access the application source code. NOTE: the vendor disputes this because the retrieved source code is only the DevExpress client-side application code that is, of course, intentionally readable by web browsers (a site's custom code and data is never accessible via an IDOR approach).
How severe is CVE-2022-41479?
CVE-2022-41479 has a CVSS score of 7.5/10 (HIGH severity). The EPSS model estimates a 1.10% probability of exploitation in the next 30 days.
How do I fix CVE-2022-41479?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-41479?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST