DevExpress
Moderate fix6 remedies
cpe:2.3:a:devexpress:devexpress:*:*:*:*:*:*:*
Moderate fix6 remedies
- < 23.1.3
- < 22.2.6
- < 22.2.3
- < 22.1.9
- < 22.1.7
- < 21.2.12
DevExpress Server-Side Request Forgery Vulnerability via AsyncDownloader
Vulnerability
Patched
A server-side request forgery (SSRF) vulnerability has been identified in DevExpress products prior to version 23.1.3. This vulnerability allows the AsyncDownloader component to make unauthorized requests, potentially leading to exposure of internal services or resources.
Impact
Exploitation of this vulnerability allows for server-side request forgery, where an attacker can manipulate the server to make requests on its behalf, potentially accessing internal resources or services that are not exposed to the public.
Reproduction
The vulnerability can be reproduced by using a version of DevExpress prior to 23.1.3 that includes the AsyncDownloader component. Once the application is running, the AsyncDownloader can be configured to make requests to internal services, bypassing normal access controls.
Remediation
Users are advised to update to DevExpress version 23.1.3 or later, where this vulnerability has been addressed.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
0.0impact
0.6exploitability
6.0remediation
7.7relevance
0.0threat
6.4urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.