Headline
CVE-2023-0952: DEVO-2023-0003
Improper access controls on entries in Devolutions Server 2022.3.12 and earlier could allow an authenticated user to access sensitive data without proper authorization.
Security & Compliance Reporting a Security Issue Advisories
Affected Products
Devolutions Server 2022.3.12 and below.
Change Log
Initial publication - 2023-02-22
Product
Devolutions Server
Summary
Devolutions Server is affected by multiple security vulnerabilities.
SQL Injection in the documentation component
Description
Insufficient input sanitization in the documentation feature of Devolutions Server 2022.3.12 and earlier allows an authenticated attacker to perform an SQL Injection, potentially resulting in unauthorized access to system resources.
Remediation and Workarounds
Upgrade to Devolutions Server 2022.3.13 or higher
Severity
Critical - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H 9.9
Affected Products
Devolutions Server 2022.3.12 and earlier.
Improper access control on endpoints in Devolutions Server
Description
Improper access controls on some API endpoints in Devolutions Server 2022.3.12 and earlier could allow a standard privileged user to perform privileged actions.
Remediation and Workarounds
Upgrade to Devolutions Server to 2022.3.13 or higher.
Severity
High - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N 8.5
Affected Products
Devolutions Server 2022.3.12 and earlier
Improper access controls on entries in Devolutions Server
Description
Improper access controls on entries in Devolutions Server 2022.3.12 and earlier could allow an authenticated user to access sensitive data such as passwords without proper authorization.
Remediation and Workarounds
Upgrade Devolutions Server to 2022.3.13 and higher
Severity
Medium - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 6.5
Affected Products
Devolutions Server 2022.3.12 and earlier