CVE-2022-41479

Name of the Vulnerable Software and Affected Versions DevExpress ASP.NET Web Forms Build version 19.2.3

Description The DevExpress Resource Handler (ASPxHttpHandlerModule) does not verify the referenced objects in the "/DXR.axd?r=" HTTP GET parameter. This leads to an Insecure Direct Object References (IDOR) issue, allowing attackers to access the application source code. Note that the vendor disputes this, stating the retrieved source code is only the DevExpress client-side application code, which is intentionally readable by web browsers, and a site's custom code and data is never accessible via this approach.

Recommendations For version 19.2.3, consider restricting access to the "/DXR.axd" API endpoint to minimize the risk of exploitation, as a temporary workaround, until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.