CVE-2023-35817

NVD	https://nvd.nist.gov/vuln/detail/CVE-2023-35817
CWE	https://cwe.mitre.org/data/definitions/918.html

NVD

https://nvd.nist.gov/vuln/detail/CVE-2023-35817

CWE

https://cwe.mitre.org/data/definitions/918.html

DevExpress before 23.1.3 allows AsyncDownloader SSRF.

Weakness

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

https://cwe.mitre.org/data/definitions/664.html

References

https://code-white.com/public-vulnerability-list/
https://supportcenter.devexpress.com/ticket/details/t1157209/server-side-request-forgery-via-asyncdownloader
https://supportcenter.devexpress.com/ticket/details/t1161404/report-and-dashboard-server-improper-default-configuration-can-lead-to-ssrf-attacks
https://supportcenter.devexpress.com/ticket/details/t1162045/reporting-bi-dashboard-office-file-api-web-app-configuration-to-help-prevent-ssrf-attacks
https://supportcenter.devexpress.com/ticket/details/t394936/devexpress-security-advisory-updated-on-april-27-2023

Server-Side Request Forgery (SSRF)

Weakness

Related Attack Patterns

References