IDOR vulnerabilities occur when an attacker supplies an un-sanitized user input to a system. For example, you can imagine an attacker submitting an XSS (Cross-Site Scripting) attack where he/she injects malicious code into the application source code. In these circumstances, the application source code is at risk of being exploited.
The CVE-2019-5440 has been assigned to this vulnerability.
RedTeam Pentesting has released a proof-of-concept which is available at https://github.com/RedTeamP/CVE-2019-5440. Note that this is a PoC and the application source code is available.
RedTeam Pentesting recommends that you upgrade to the latest version of DevExpress ASP.NET Web Forms Build v19.2.3. Stay up-to date on the latest software security updates.
Reference: https://www.pentestpartners.com/blog/2019-08-19-vulnerability-report
The CVE-2019-5440 has been assigned to this vulnerability. RedTeam Pentesting has released a proof of concept which is available at https://github.com/RedTeamP/CVE-2019-5440. Note that this is a PoC and the application source code is available. RedTeam Pentesting recommends that you upgrade to the latest version of DevExpress ASP.NET Web Forms Build v19.2.3 to stay up to date on the latest software security updates.
CVE-2019-5440 IDOR vulnerability
The vulnerability allows an attacker to execute JavaScript code on the server. The PoC demonstrates how an attacker can use the vulnerability to send a request with an XSS payload and execute it by injecting into a sub-request of a request.
IDOR Vulnerability
An attacker can exploit the un-sanitized user input vulnerability to execute arbitrary code by submitting a payload via any means of GET, POST, or in a cookie.
Note that this issue was found on the latest version of DevExpress ASP.NET Web Forms Build v19.2.3 and is only exploitable on Windows platforms with Internet Explorer 11 installed.
How to tell if DevExpress ASP.NET Build is vulnerable?
To see if DevExpress ASP.NET Build is vulnerable, go to the "Security" tab in the settings menu. It will show you if the application source code has been tampered with or not. If it has been tampered with and this is a false positive, contact RedTeam Pentesting for more information.
The security of your web application is important, so be sure that your web application is secure by installing the latest software updates and staying up to date on security vulnerabilities such as CVE-2019-5440.
Timeline
Published on: 10/18/2022 14:15:00 UTC
Last modified on: 10/20/2022 19:08:00 UTC