gist.txt

> [Suggested description]
> In DevExpress.XtraReports.UI , there is
> Insecure Deserialization in the XtraReports.FromFile by default if not called `DeserializationSettings.EnableSafeDeserialization();` manually.
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Insecure Deserialization
> 
> ------------------------------------------
> 
> [Vendor of Product]
> DevExpress
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> DevExpress.XtraReports.UI
> 
> ------------------------------------------
> 
> [Affected Component]
> https://docs.devexpress.com/XtraReports/10011/detailed-guide-to-devexpress-reporting/store-and-distribute-reports/store-report-layouts-and-documents/xml-serialization
> 
> ------------------------------------------
> 
> [Attack Type]
> Remote
> 
> ------------------------------------------
> 
> [Impact Code execution]
> true
> 
> ------------------------------------------
> 
> [Reference]
> https://docs.devexpress.com/XtraReports/10011/detailed-guide-to-devexpress-reporting/store-and-distribute-reports/store-report-layouts-and-documents/xml-serialization
> https://supportcenter.devexpress.com/ticket/details/t708194/net-web-controls-unsafe-data-type-deserialization-updated-on-december-19-2019
>
> ------------------------------------------
> 
> [Discoverer]
> CHT Security/Tree