CVE-2021-36483: 
DevExpress Components vulnerability analysis and mitigation

CVE-2021-36483 affects DevExpress.XtraReports.UI through version 21.1, allowing attackers to execute arbitrary code via insecure deserialization. The vulnerability was discovered in August 2021 and has a CVSS v3.1 base score of 8.8 (HIGH) (NVD, ZDI).

The vulnerability exists within the SafeBinaryFormatter library of DevExpress XtraReports. The specific flaw stems from the lack of proper validation of user-supplied data when using XtraReports.FromFile, which can result in deserialization of untrusted data if DeserializationSettings.EnableSafeDeserialization() is not called manually. The vulnerability is classified as CWE-502: Deserialization of Untrusted Data (GitHub Advisory, ZDI).

Successful exploitation of this vulnerability allows attackers to execute arbitrary code in the context of the service account. The vulnerability has a high impact on confidentiality, integrity, and availability of the affected system (ZDI).

The vulnerability was fixed in DevExpress version v21.2.2. For earlier versions, developers should explicitly call DeserializationSettings.EnableSafeDeserialization() to prevent unsafe deserialization (ZDI).

The vulnerability was initially discovered by TsungShu Chiu of CHT Security and was later coordinated through the Zero Day Initiative program. The disclosure timeline shows the vulnerability was reported to the vendor on August 25, 2021, with a coordinated public release on February 15, 2022 (CHT Security, ZDI).