Sécurité et conformité
DEVO-2022-0006
Résumé
Multiple vulnerabilities were fixed in Devolutions Server 2022.2.
Produits affectés
Devolutions Server 2022.1 and earlier
Journal des modifications
Initial Publication - 2022-07-05
Sévérité
High
Produit
Devolutions Server
Version corrigée
2022.2
HTML injection in the secure message title
Description
Some HTML tags could be injected in the title of secure messages. Javascript code execution via this injection is not possible due to sanitizing done by the Angular framework. An attacker with access to Devolutions Server could use it to alter the rendering of the page or redirect a user to another site.
Mesures correctives et solutions de contournement
Upgrade to Devolutions Server 2022.2
Sévérité
Low - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Produits affectés
Devolutions Server 2022.1 and earlier
CVE(s)
CVE-2022-2316
Incorrect handling of permissions when creating a user with a pre-existing username
Description
When deleting a user, the permission assignments remained in the database. If a new user was created with the same username, the user would get the permissions of that previous user.
Starting with Devolutions Server 2022.2, permissions are assigned based on the user unique ID instead of its username.
Mesures correctives et solutions de contournement
Upgrade to Devolutions Server 2022.2
Sévérité
High - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Produits affectés
Devolutions Server 2022.1 and earlier
CVE(s)
CVE-2022-33996