Sécurité et conformité

Avis Signaler un problème de sécurité Centre de confiance

DEVO-2022-0006

Résumé

Multiple vulnerabilities were fixed in Devolutions Server 2022.2.

Produits affectés

Devolutions Server 2022.1 and earlier

Journal des modifications

Initial Publication - 2022-07-05

Sévérité

High

Produit

Devolutions Server

Version corrigée

2022.2

HTML injection in the secure message title

Description

Some HTML tags could be injected in the title of secure messages. Javascript code execution via this injection is not possible due to sanitizing done by the Angular framework. An attacker with access to Devolutions Server could use it to alter the rendering of the page or redirect a user to another site.

Mesures correctives et solutions de contournement

Upgrade to Devolutions Server 2022.2

Sévérité

Low - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Produits affectés

Devolutions Server 2022.1 and earlier

CVE(s)

CVE-2022-2316

Incorrect handling of permissions when creating a user with a pre-existing username

Description

When deleting a user, the permission assignments remained in the database. If a new user was created with the same username, the user would get the permissions of that previous user.

Starting with Devolutions Server 2022.2, permissions are assigned based on the user unique ID instead of its username.

Mesures correctives et solutions de contournement

Upgrade to Devolutions Server 2022.2

Sévérité

High - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

Produits affectés

Devolutions Server 2022.1 and earlier

CVE(s)

CVE-2022-33996