CVE-2023-35817

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-35817
DevExpress before 23.1.3 allows AsyncDownloader SSRF.

5.0 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://code-white.com/public-vulnerability-list/ Vendor Advisory
https://supportcenter.devexpress.com/ticket/details/t1157209/server-side-request-forgery-via-asyncdownloader Permissions Required
https://supportcenter.devexpress.com/ticket/details/t1161404/report-and-dashboard-server-improper-default-configuration-can-lead-to-ssrf-attacks Permissions Required
https://supportcenter.devexpress.com/ticket/details/t1162045/reporting-bi-dashboard-office-file-api-web-app-configuration-to-help-prevent-ssrf-attacks Permissions Required
https://supportcenter.devexpress.com/ticket/details/t394936/devexpress-security-advisory-updated-on-april-27-2023 Permissions Required
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:devexpress:devexpress:*:*:*:*:*:*:*:*
cpe:2.3:a:devexpress:devexpress:22.1.8:*:*:*:*:*:*:*
cpe:2.3:a:devexpress:devexpress:22.2.4:*:*:*:*:*:*:*
cpe:2.3:a:devexpress:devexpress:22.2.5:*:*:*:*:*:*:*
History

05 Jun 2025, 14:30

Type Values Removed Values Added
References () https://code-white.com/public-vulnerability-list/ - () https://code-white.com/public-vulnerability-list/ - Vendor Advisory
References () https://supportcenter.devexpress.com/ticket/details/t1157209/server-side-request-forgery-via-asyncdownloader - () https://supportcenter.devexpress.com/ticket/details/t1157209/server-side-request-forgery-via-asyncdownloader - Permissions Required
References () https://supportcenter.devexpress.com/ticket/details/t1161404/report-and-dashboard-server-improper-default-configuration-can-lead-to-ssrf-attacks - () https://supportcenter.devexpress.com/ticket/details/t1161404/report-and-dashboard-server-improper-default-configuration-can-lead-to-ssrf-attacks - Permissions Required
References () https://supportcenter.devexpress.com/ticket/details/t1162045/reporting-bi-dashboard-office-file-api-web-app-configuration-to-help-prevent-ssrf-attacks - () https://supportcenter.devexpress.com/ticket/details/t1162045/reporting-bi-dashboard-office-file-api-web-app-configuration-to-help-prevent-ssrf-attacks - Permissions Required
References () https://supportcenter.devexpress.com/ticket/details/t394936/devexpress-security-advisory-updated-on-april-27-2023 - () https://supportcenter.devexpress.com/ticket/details/t394936/devexpress-security-advisory-updated-on-april-27-2023 - Permissions Required
First Time Devexpress devexpress
Devexpress
CPE cpe:2.3:a:devexpress:devexpress:22.2.5:*:*:*:*:*:*:*
cpe:2.3:a:devexpress:devexpress:*:*:*:*:*:*:*:*
cpe:2.3:a:devexpress:devexpress:22.1.8:*:*:*:*:*:*:*
cpe:2.3:a:devexpress:devexpress:22.2.4:*:*:*:*:*:*:*

29 Apr 2025, 13:52

Type Values Removed Values Added
Summary
  • (es) DevExpress anterior a 23.1.3 permite AsyncDownloader SSRF.

28 Apr 2025, 17:15

Type Values Removed Values Added
References
  • () https://code-white.com/public-vulnerability-list/ -

28 Apr 2025, 16:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-04-28 16:15

Updated : 2025-06-05 14:30

NVD link : CVE-2023-35817

Mitre link : CVE-2023-35817

CVE.ORG link : CVE-2023-35817

JSON object : View

Products Affected

devexpress

  • devexpress
CWE
CWE-918

Server-Side Request Forgery (SSRF)