CVE-2021-36483
HIGHDevExpress.XtraReports.UI < 21.1 - Remote Code Execution via Insecure Deserialization
Title source: llmDescription
DevExpress.XtraReports.UI through v21.1 allows attackers to execute arbitrary code via insecure deserialization.
References (6)
Core 6
Core References
Third Party Advisory x_refsource_misc
https://gist.github.com/tree-chtsec/27013ed6cb297b24e44f6359439b678e
Permissions Required, Vendor Advisory x_refsource_misc
https://supportcenter.devexpress.com/ticket/details/t708194/net-web-controls-unsafe-data-type-deserialization
Permissions Required, Vendor Advisory x_refsource_misc
https://supportcenter.devexpress.com/ticket/details/t714296/net-desktop-controls-unsafe-data-type-deserialization
Third Party Advisory x_refsource_misc
https://www.chtsecurity.com/news/a01d1bc6-19c8-4187-b343-6bc685efe64f
Permissions Required, Vendor Advisory x_refsource_confirm
https://supportcenter.devexpress.com/ticket/details/t1031535/reporting-unsafe-data-type-deserialization
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-22-341/
Scores
CVSS v3
8.8
EPSS
0.0290
EPSS Percentile
85.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
Status
published
Products (1)
devexpress/devexpress
< 21.1
Published
Aug 04, 2021
Tracked Since
Feb 18, 2026