Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-35814

DevExpress before 23.1.3 does not properly protect XtraReport serialized data in ASP.NET web forms.

Published

2025-04-28T16:15:25.357

Last Modified

2025-06-05T14:29:42.040

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 3.5 (LOW)

Weaknesses

Type: Secondary
CWE-502

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	devexpress	devexpress	< 21.2.12	Yes
Application	devexpress	devexpress	22.1.8	Yes
Application	devexpress	devexpress	22.2.4	Yes
Application	devexpress	devexpress	22.2.5	Yes

References

https://code-white.com/public-vulnerability-list/ Vendor Advisory ([email protected])
https://supportcenter.devexpress.com/ticket/details/t1141158/missing-protection-of-xtrareport-serialized-data-in-asp-net-web-forms Permissions Required ([email protected])
https://supportcenter.devexpress.com/ticket/details/t1158413/the-allowpassingdatasourceconnectionparameterstoclient-method-may-allow-untrusted-access Permissions Required ([email protected])
https://supportcenter.devexpress.com/ticket/details/t1160535/web-reporting-well-formed-request-to-a-report-control-s-backend-can-use Permissions Required ([email protected])
https://supportcenter.devexpress.com/ticket/details/t394936/devexpress-security-advisory-updated-on-april-27-2023 Permissions Required ([email protected])