Security & Compliance

DEVO-2022-0006

Zusammenfassung

Multiple vulnerabilities were fixed in Devolutions Server 2022.2.

Betroffene Produkte

Devolutions Server 2022.1 and earlier

Änderungsprotokoll

Initial Publication - 2022-07-05

Schweregrad

High

Produkt

Devolutions Server

Behobene Version

2022.2

HTML injection in the secure message title

Beschreibung

Some HTML tags could be injected in the title of secure messages. Javascript code execution via this injection is not possible due to sanitizing done by the Angular framework. An attacker with access to Devolutions Server could use it to alter the rendering of the page or redirect a user to another site.

Behebungen und Workarounds

Upgrade to Devolutions Server 2022.2

Schweregrad

Low - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Betroffene Produkte

Devolutions Server 2022.1 and earlier

CVE(s)

CVE-2022-2316

Incorrect handling of permissions when creating a user with a pre-existing username

Beschreibung

When deleting a user, the permission assignments remained in the database. If a new user was created with the same username, the user would get the permissions of that previous user.

Starting with Devolutions Server 2022.2, permissions are assigned based on the user unique ID instead of its username.

Behebungen und Workarounds

Upgrade to Devolutions Server 2022.2

Schweregrad

High - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Betroffene Produkte

Devolutions Server 2022.1 and earlier

CVE(s)

CVE-2022-33996

Wir helfen Unternehmen dabei, das IT-Chaos zu meistern, indem wir Lösungen für Passwortverwaltung, Remoteverbindungen und privilegierte Zugriffsverwaltung bereitstellen.

DEVOLUTIONS

Sicherheit & Datenschutz | infos@devolutions.net

Alle Rechte vorbehalten © 2025 Devolutions