Third-Party Security Scanner Alerts and False Positive Reports

• Jan 23, 2026
• 11 minutes to read

As you may know, third-party security scanners and services often rely on generic signatures. These signatures can trigger alerts that do not represent legitimate security risks.

This help topic documents/describes known false-positive scanner alerts. Each section explains scope and the technical reasoning behind our analysis/conclusion.

Cross-Site Scripting (CWE-79, CWE-80)

CWE-79

Improper Neutralization of Input During Web Page Generation

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page

Scanner Tools

• WAS (Web Application Security) Tools
• Veracode

WAS Alerts

Affected Components

• ASPxGridView
• ASPxPopupControl
• ASPxTabControl
• ASPxPageControl
• ASPxPivotGrid
• ASPxEditors with input elements

Technical Details

WAS flags hidden input fields with the _State suffix as potentially dangerous based on underlying scanner signature matching:

<input type="hidden" name="ASPxGridView1" id="ASPxGridView1_State" value="{...}">
<input type="hidden" name="ASPxPopupControl1" id="ASPxPopupControl1_State" value="{...}">
<input type="hidden" name="ASPxPageControl1" id="ASPxPageControl1_State" value="{...}">

Veracode reports this issue when an encoded value that contains a script can be assigned to an input element (for example, 1234%27A-alert%2889%29%2F%2F):

<!-- ASPxComboBox -->  
<table class="dxeButtonEditSys dxeButtonEdit" id="ASPxComboBox1">  

<input class="dxeEditArea dxeEditAreaSys"
        id="ASPxComboBox1_I"
        name="ASPxComboBox1"
        type="text"
        autocomplete="off" ...>  

Resolution

These alerts do not indicate executable XSS. Server-side validation blocks script execution.

SQL Injection (CWE-89, CAPEC-7)

CWE-89

Improper Neutralization of Special Elements used in an SQL Command

CAPEC-7

Blind SQL Injection

Scanner Tools

• OWASP ZAP
• Veracode
• IBM Security AppScan
• SiteLock

SiteLock Alerts

Affected Scope

• DXR.axd request parameters
• DevExpress.Data internal SQL API
• Search Panel (DXSE) and Filter Row (DXFREditor) parameters

Technical Details

DXR.axd URLs and Parameters

DXR.axd is the default DevExpress HTTP handler used in ASP.NET applications. It serves embedded DevExpress resources (images, JavaScript files, and CSS styles). These resources are packaged inside DevExpress assemblies and are requested by the browser through the DXR.axd endpoint. The handler resolves the request, retrieves the resource from the assembly, and sends it to the client.

These embedded resources are intended for public access. They do not expose sensitive information or server-side code and do not interact with databases.

The DevExpress HTTP handler validates resource keys.

Direct SQL APIs

InternalExecSql, InternalGetScalar, and InternalGetData methods of ConnectionProviderSql accept SQL commands, which are fully controlled by the application developer.

To avoid dynamically SQL construction, execute direct SQL queries against a database and return results as scalar values, result sets, or object collections.

Search Panel and Filter Row (Application Configuration)

DXFREditor and DXSE parameters transfer Search Panel and Filter Row editor values to filter data displayed in grid-based UI controls (for example, ASPxGridView, ASPxTreeList, and ASPxCardView).

In standard binding mode, filters apply at the control level. The Data Controller validates values before applying the filter. These values never reach the database.

In server mode, values are sanitized before query execution. Injected SQL cannot execute at the database level.

Resolution

• DXR.axd does not expose database access.
• When working with direct SQL APIs, you must ensure that SQL queries are secure.

Improper Restriction of XML External Entity Reference (CWE-611)

Scanner Tool

• Veracode

Affected Component

• ASPxFileManager

Technical Details

XML content converts to internal file objects (FileManagerFile). The ASPxFileManager renders markup from these objects.

An attack requires direct access to the storage provider. Users cannot supply arbitrary XML sources.

Resolution

This issue does not expose XXE risk in real deployments.

Insecure Temporary File (CWE-377)

Affected Components

• Report Components for Web

Technical Details

Internal code uses the GetTempFileName method to access system temporary files. Temporarily files never reach the client.

Resolution

No external access exists.

Information Exposure (CWE-201, CWE-540, CWE-615)

CWE-201

Insertion of Sensitive Information Into Sent Data

CWE-540

Inclusion of Sensitive Information in Source Code

CWE-615

Inclusion of Sensitive Information in Source Code Comments

Scanner Tool

• Veracode
• SecureTrust

Affected Scope

• DXR.axd request parameters
• ASPxPivotGrid

Technical Details

DXR.axd URLs and Parameters

DXR.axd is the default DevExpress HTTP handler used in ASP.NET applications. It serves embedded DevExpress resources (images, JavaScript files, and CSS styles). These embedded resources are intended for public access. They do not expose sensitive information or server-side code.

The word “password“ in these files does not indicate stored or transmitted credentials. It refers only to HTML input elements of type password.

ASPxPivotGrid

UploadString(string data) and UploadStringAsync(string, object) methods handle data uploads. These methods process all information on the server.

Resolution

Passwords and sensitive information are not sent to the client. No confidential information exposure occurs.

Use of Hard-coded Credentials (CWE-798)

Scanner Tool

• Veracode

Affected Components

• DevExpress XPO Library

Technical Details

The ADSSYS account is a built-in administrator account for Advantage Database Server.

• The connection string (?1?=?2??Datasource=?0??servertype=local?userid=ADSSYS?Password=?3??TrimTrailingSpaces=tru) does not include any sensitive or user-specific information.
• Passwords and non-built-in user names are not hard-coded in the XPO library.

Resolution

Using ADSSYS in this context does not introduce security risks.

Improper Neutralization of CRLF Sequences in HTTP Headers (CWE-113)

Scanner Tool

• Veracode

Affected Components

• ASPxHttpHandlerModule
• ASPxSpreadsheet

Technical Details

ASPxHttpHandlerModule

The WriteFolderToResponse and WriteFileToResponse methods validate requested public resources by file extension. Only .css and .js files are allowed. The API cannot be used to access arbitrary files.

ASPxSpreadsheet

The CreateImageBox method accepts an image index. The server generates this index internally. Client input cannot alter the value or reference other data. Header manipulation is not possible through this method.

Resolution

User input cannot alter headers or access other resources.

Cleartext Storage of Sensitive Information in Memory (CWE-316)

Affected Component

• DevExpress.XtraRichEdit

Technical Details

The following classes store document protection metadata. This data prevents accidental edits. This information is not considered sensitive.

• DevExpress.XtraRichEdit.Commands.ProtectionInfo
• DevExpress.XtraRichEdit.AuthenticationOptions

Resolution

The alert does not indicate sensitive data exposure.

Use of a Broken or Risky Cryptographic Algorithm (CWE-327)

Scanner Tool

• Veracode

Affected Components

• DevExpress RichEdit (WinForms, WPF, ASP.NET)
• DevExpress PDF Viewer controls and PDF Document
• DevExpress File & Document APIs
• DevExpress UI Components that support export to Excel and PDF

Technical Details

Veracode flags the use of weak or risky cryptographic algorithms (such as MD5 and SHA-1). DevExpress components use these algorithms in contexts where standards or file format specifications require them (not for general-purpose cryptography).

Modern .NET components include an internal HashCodeHelper class to provide secure alternatives. Some legacy scenarios still rely on algorithms that Veracode marks as potentially unsafe.

RichEdit

MD5 is required by the ECMA-376 standard for document protection (article 2.15.1.28).

Method: CheckOpenXmlDocumentProtectionPassword(PasswordHashCodeCalculator calculator, string password)

Spreadsheet (XLS Export)

MD5 is mandated by the Excel Binary File Format specification (article 2.3.6.1).

Method: MD5Hash.CreateMD5()

Office Crypto (XLS Export)

Required for compliance with the Office Document Cryptography Structure (article 2.3.4).

Method: CipherInfo.GetAlgorithm()

PDF Export and PDF Libraries

MD5 is required by the PDF specification for encryption (article 7.6).

ZIP Archives

AES in ECB mode is used for decrypting legacy ZIP archives (standard ZIP encryption is weak).

Method: ICryptoTransform CreateAesCryptoTransform(string, byte[], byte[])

PDF Digital Signatures

SHA-1 is required by the PDF specification for digital signatures (article 12.8).

Resolution

These algorithms are used only to meet file format or standard compliance requirements. They do not expose DevExpress applications to security risks in typical usage scenarios.

External Control of File Name or Path (CWE-73)

Affected Components

• Devexpress RichEdit
• DevExpress Charts

Technical Details

RichEdit

The FileDocumentImageSource constructor accepts a file path as part of the RichEdit public API. This behavior enables application developers to load document images from custom locations.

Charts

The HolidaysLoader.LoadHolidaysCollection method allows applications to load holiday definitions from an XML file. The method safely processes XML content. Because this API is public, the library cannot restrict the file path value. Path validation and access control must be implemented by the application.

Resolution

These APIs themselves do not introduce vulnerabilities. Security depends on how the application supplies and validates file paths.

URL Redirection to Untrusted Site (CWE-601)

Scanner Tool

• Veracode

Affected API

• GoogleDrivePersonalHelper
• OneDrivePersonalHelper

Technical Details

GoogleDrivePersonalHelper and OneDrivePersonalHelper classes call the HttpContext.Current.Response.Redirect method with URLs constructed exclusively from server-side values. These values are defined by the application logic and do not incorporate client input.

Resolution

Open redirect is not possible.

Use of Externally-Controlled Input to Select Classes or Code (CWE-470)

Scanner Tool

• Veracode

Affected API

• DevExpress.Web.Internal.ThemesProvider.LoadCustomThemeAssemblyByPath

Technical Details

The LoadCustomThemeAssemblyByPath method calls System.Reflection.Assembly.LoadFile. This method is invoked only by the ASPxThemeDeployer tool on a developer machine. It is used to extract DevExpress theme resources for deployment within an application.

The LoadCustomThemeAssemblyByPath method is not executed at runtime in deployed applications. Users or threat actors cannot trigger it.

Resolution

Unsafe reflection does not introduce a risk in deployed applications.

Insufficient Entropy (CWE-331)

Scanner Tool

• Veracode

Affected Component

• ASPxCaptcha

Technical Details

The Next(int) method is used internally by the ASPxCaptcha component.

Captcha requests occur at varying times, and image recognition introduces additional variability. These factors increase entropy and make it infeasible for a threat actor to predict generated values.

Resolution

The ASPxCaptcha component maintains sufficient randomness to prevent abuse. In practice, predicting values is impossible.

Protection Mechanism Failure (CWE-693)

Affected Components

• ASP.NET Web Forms Controls
• ASP.NET MVC Extensions

Technical Details

Security scanners report a security mechanism failure when HTTP Content-Security-Policy (CSP) headers appear overly permissive.

DevExpress ASP.NET Web Forms controls and MVC extensions rely on legacy JavaScript libraries. These libraries dynamically load scripts and execute eval or Function methods. To function correctly, the framework requires the following CSP directive:

script-src 'unsafe-inline' 'unsafe-eval' 'self'

• unsafe-inline allows in-page scripts and event handlers.
• unsafe-eval permits execution of dynamic code via eval() or Function().
• self restricts script loading to the same origin.

These directives match standard ASP.NET Web Forms behavior. The same requirements apply to ASP.NET MVC extensions, which share the same core framework.

Resolution

This requirement matches standard ASP.NET behavior. DevExpress does not plan to remove these directives due to implementation complexity.

For strict CSP compliance, consider migrating to a modern platform. Refer to the following help topics for additional information:

• Content Security Policy in DevExpress ASP.NET Web Forms Controls
• Content Security Policy in DevExpress ASP.NET MVC Extensions

PDF Rendering CVEs

CVE (Common Vulnerabilities and Exposures)

• CVE-2017-15232
• CVE-2018-14498
• CVE-2018-19664
• CVE-2018-20330

Technical Details

DevExpress WinForms PDF Viewer, WPF PDF Viewer, and PdfDocumentProcessor, do not use the vulnerable functionality.

Resolution

DevExpress components are not impacted by security issues described in CVEs. No mitigation or code changes are required.

Affected Components

• PDF Viewer (WinForms, WPF)
• PDF Document Processor (File & Document API)

HTTP Verb Tampering

Scanner Tool

• IBM Security AppScan

Affected Scope

• DXR.axd request parameters

Technical Details

DXR.axd URLs and Parameters

DXR.axd is the default DevExpress HTTP handler used in ASP.NET applications. It serves embedded DevExpress resources (images, JavaScript files, and CSS styles). These embedded resources are intended for public access. They do not expose sensitive information or server-side code.

Resolution

HTTP verb manipulation cannot compromise security or access confidential data.

Unencoded Input in ASPxComboBox

Scanner Tool

• Retina Web Security Scanner

Affected Component

• ASPxComboBox

Resolution

Input values may be modified before posting to the server. All values are encoded when rendered as client-side programmatic objects. The EncodeHtml property (enabled by default) ensures that all rendered HTML entries are safe from injection attacks.

Application-Level Configuration Warnings

Scanner Tool

• ASafaWeb

ASafaWeb Alerts

Affected Scope

• Application Configuration

Resolution

These settings must be configured at the application level. Some DevExpress ASP.NET demo applications explicitly disable request validation to allow entry of all characters. This is safe for demos but should be managed appropriately in production environments.