Sécurité et conformité
DEVO-2021-0004
Résumé
Plusieurs vulnérabilités ont été corrigés dans Devolutions Server.
Produits affectés
Devolutions Server 2020.3 and earlier, Devolutions Server LTS 2020.3.17 and earlier
Journal des modifications
Publication initiale - 2021-03-30
Sévérité
High
Produit
Devolutions Server
Version corrigée
2021.1
Overly Permissive CORS Policy (CVE-2021-28048)
Description
An overly permissive CORS Policy exists in Devolutions Server, allowing Cross-Origin requests from any domain. This allows an attacker to interact with the API when a victim visits a malicious website.
Mesures correctives et solutions de contournement
Update to Devolutions Server 2021.1 or higher
Update to Devolutions Server LTS 2020.3.18 or higher
Sévérité
High - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Produits affectés
Devolutions Server 2020.3 and earlier
Devolutions Server LTS 2020.3.17 and earlier
CVE(s)
CVE-2021-28048
SQL Injection on User Deletion (CVE-2021-28157)
Description
It is possible for an administrator to inject SQL code into a username and execute it by deleting the user.
Mesures correctives et solutions de contournement
Update to Devolutions Server 2021.1 or higher, Update to Devolutions Server 2020.3.18 or higher
Sévérité
High - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Produits affectés
Devolutions Server 2020.3 and earlier, Devolutions Server LTS 2020.3.17 and earlier
CVE(s)
CVE-2021-28157
Crédits
Marc Olivier Bergeron @ GoSecure