Security & Compliance
DEVO-2022-0006
Zusammenfassung
Multiple vulnerabilities were fixed in Devolutions Server 2022.2.
Betroffene Produkte
Devolutions Server 2022.1 and earlier
Änderungsprotokoll
Initial Publication - 2022-07-05
Schweregrad
High
Produkt
Devolutions Server
Behobene Version
2022.2
HTML injection in the secure message title
Beschreibung
Some HTML tags could be injected in the title of secure messages. Javascript code execution via this injection is not possible due to sanitizing done by the Angular framework. An attacker with access to Devolutions Server could use it to alter the rendering of the page or redirect a user to another site.
Behebungen und Workarounds
Upgrade to Devolutions Server 2022.2
Schweregrad
Low - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Betroffene Produkte
Devolutions Server 2022.1 and earlier
CVE(s)
CVE-2022-2316
Incorrect handling of permissions when creating a user with a pre-existing username
Beschreibung
When deleting a user, the permission assignments remained in the database. If a new user was created with the same username, the user would get the permissions of that previous user.
Starting with Devolutions Server 2022.2, permissions are assigned based on the user unique ID instead of its username.
Behebungen und Workarounds
Upgrade to Devolutions Server 2022.2
Schweregrad
High - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Betroffene Produkte
Devolutions Server 2022.1 and earlier
CVE(s)
CVE-2022-33996