CVE-2023-35815

DevExpress before 23.1.3 has a data-source protection mechanism bypass during deserialization on XML data.

CVSS v3 3.5 LOW

3.5^/10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://code-white.com/public-vulnerability-list/	Vendor Advisory
https://supportcenter.devexpress.com/ticket/details/t1141947/data-source-protection-bypass-during-xml-deserialization	Permissions Required
https://supportcenter.devexpress.com/ticket/details/t1159142/web-reporting-data-source-protection-bypassed-during-xml-deserialization	Permissions Required
https://supportcenter.devexpress.com/ticket/details/t394936/devexpress-security-advisory-updated-on-april-27-2023	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:devexpress:devexpress::::::::
	cpe:2.3:a:devexpress:devexpress:22.1.8:::::::*
	cpe:2.3:a:devexpress:devexpress:22.2.4:::::::*
	cpe:2.3:a:devexpress:devexpress:22.2.5:::::::*

History

05 Jun 2025, 14:29

Type	Values Removed	Values Added
CPE		cpe:2.3:a:devexpress:devexpress:::::::: cpe:2.3:a:devexpress:devexpress:22.2.5:::::::* cpe:2.3:a:devexpress:devexpress:22.2.4:::::::* cpe:2.3:a:devexpress:devexpress:22.1.8:::::::*
First Time		Devexpress Devexpress devexpress
References	~~() https://code-white.com/public-vulnerability-list/ -~~	() https://code-white.com/public-vulnerability-list/ - Vendor Advisory
References	~~() https://supportcenter.devexpress.com/ticket/details/t1141947/data-source-protection-bypass-during-xml-deserialization -~~	() https://supportcenter.devexpress.com/ticket/details/t1141947/data-source-protection-bypass-during-xml-deserialization - Permissions Required
References	~~() https://supportcenter.devexpress.com/ticket/details/t1159142/web-reporting-data-source-protection-bypassed-during-xml-deserialization -~~	() https://supportcenter.devexpress.com/ticket/details/t1159142/web-reporting-data-source-protection-bypassed-during-xml-deserialization - Permissions Required
References	~~() https://supportcenter.devexpress.com/ticket/details/t394936/devexpress-security-advisory-updated-on-april-27-2023 -~~	() https://supportcenter.devexpress.com/ticket/details/t394936/devexpress-security-advisory-updated-on-april-27-2023 - Permissions Required

29 Apr 2025, 13:52

Type	Values Removed	Values Added
Summary		(es) DevExpress anterior a 23.1.3 tiene un mecanismo de protección de fuente de datos que se evita durante la deserialización de datos XML.

28 Apr 2025, 17:15

Type	Values Removed	Values Added
References		() https://code-white.com/public-vulnerability-list/ -

28 Apr 2025, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-04-28 16:15

Updated : 2025-06-05 14:29

NVD link : CVE-2023-35815

Mitre link : CVE-2023-35815

CVE.ORG link : CVE-2023-35815

JSON object : View

Products Affected

devexpress

devexpress

CWE

CWE-502

Deserialization of Untrusted Data

3.5 /10