Primary

Context

DevExpress XtraReports Missing Protection of Serialized Data Vulnerability in ASP.NET Web Forms

Vulnerability

A vulnerability exists in DevExpress versions prior to 23.1.3, as well as in several 22.x and 21.x releases, where the XtraReport serialized data is not adequately protected in ASP.NET Web Forms. This lack of proper protection can lead to unauthorized access or manipulation of the report data.

Impact

Exploitation of this vulnerability can result in unauthorized access to XtraReport serialized data, potentially allowing for manipulation or misuse of the report information.

Reproduction

The vulnerability can be reproduced by sending a well-formed request to a report control's backend, which will bypass the default data source protection and allow untrusted access to the serialized data.

Remediation

Users are advised to update to DevExpress version 23.1.3 or later.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.3

remediation

0.0

relevance

0.0

threat

1.6

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.3

remediation

0.0

relevance

0.0

threat

1.6

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

DevExpress XtraReports Missing Protection of Serialized Data Vulnerability in ASP.NET Web Forms

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating