CVE-2023-35814

April 28, 2025, 4:15 p.m.

3.5

Low

Description

DevExpress before 23.1.3 does not properly protect XtraReport serialized data in ASP.NET web forms.

Product(s) Impacted

Vendor	Product	Versions
Devexpress	Xtrareport	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-502

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	devexpress	xtrareport	/	/	/	/	/	asp.net	/	/

References

https://code-white.com/public-vulnerability-list/

https://supportcenter.devexpress.com/ticket/details/t1141158/missing-protection-of-xtrareport-serialized-data-in-asp-net-web-forms

https://supportcenter.devexpress.com/ticket/details/t1158413/the-allowpassingdatasourceconnectionparameterstoclient-method-may-allow-untrusted-access

https://supportcenter.devexpress.com/ticket/details/t1160535/web-reporting-well-formed-request-to-a-report-control-s-backend-can-use

https://supportcenter.devexpress.com/ticket/details/t394936/devexpress-security-advisory-updated-on-april-27-2023

Tags

cve@mitre.org

CWE-502

2025-04-28

CVE-2023-35814

CVSS Score

3.5 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: LOW
Scope: CHANGED
Confidentiality Impact: NONE
Integrity Impact: LOW
Availability Impact: NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

View Vector String

Timeline

Published: April 28, 2025, 4:15 p.m.
Last Modified: April 28, 2025, 4:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.