CVE-2022-41479 is a high-severity Insecure Direct Object References (IDOR) vulnerability found in the DevExpress ASP.NET Web Forms Build version 19.2.3, specifically within the DevExpress Resource Handler module (ASPxHttpHandlerModule). The vulnerability arises because the handler does not properly verify the referenced objects passed via the /DXR.axd?r= HTTP GET parameter. This lack of validation allows an unauthenticated attacker to request and retrieve application source code. However, the vendor disputes the severity of this issue, clarifying that the source code accessible through this vector is limited to the DevExpress client-side application code, which is inherently intended to be readable by web browsers. Importantly, the vulnerability does not expose any custom server-side code or sensitive data from the hosting application. The CVSS v3.1 base score is 7.5, reflecting a high severity due to the vulnerability's network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact is primarily on confidentiality, as attackers can access client-side source code, but there is no impact on integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked or published by the vendor. The vulnerability is categorized under CWE-639 (Authorization Bypass Through User-Controlled Key).

For European organizations using DevExpress ASP.NET Web Forms Build v19.2.3, this vulnerability could lead to unauthorized disclosure of client-side application source code. While the exposed code is not sensitive server-side logic or proprietary business logic, it could still provide attackers with insights into the client-side implementation, potentially aiding in crafting more targeted attacks such as client-side manipulation, social engineering, or reconnaissance for further exploitation. The confidentiality impact is moderate since no sensitive data or server-side code is exposed. Integrity and availability remain unaffected. Organizations relying heavily on DevExpress components for web applications should be aware that attackers can gain additional visibility into their front-end code, which might indirectly increase risk. However, the absence of known exploits and the vendor's clarification reduce the immediate threat level. Still, organizations should consider this vulnerability in their risk assessments, especially those in regulated sectors or with high-value web assets.

1. Upgrade DevExpress ASP.NET Web Forms to a later version if available, where this vulnerability is addressed or mitigated. 2. If upgrading is not immediately possible, implement web application firewall (WAF) rules to monitor and block suspicious requests targeting the /DXR.axd endpoint with unusual or unexpected parameters. 3. Restrict access to the /DXR.axd resource via network-level controls or authentication mechanisms where feasible, limiting exposure to trusted users only. 4. Conduct thorough code reviews and penetration testing focused on the use of DevExpress components to identify any additional weaknesses or misconfigurations. 5. Monitor web server logs for anomalous requests to the /DXR.axd endpoint that could indicate exploitation attempts. 6. Educate development teams about the nature of client-side code exposure and ensure sensitive logic is not implemented on the client side. 7. Engage with DevExpress vendor support to obtain official patches or guidance and stay updated on any future security advisories.