Sécurité et conformité

Avis Signaler un problème de sécurité Centre de confiance

DEVO-2025-0011

Résumé

Devolutions Server is affected by multiple vulnerabilities.

Produits affectés

See vulnerabilities for affected products.

Journal des modifications

4/06/2025 - Initial publication

Sévérité

Medium

Produit

Devolutions Server

Version corrigée

See vulnerabilities for fixed versions

Improper access control in users MFA feature

Description

Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to remove or change administrators MFA.

Mesures correctives et solutions de contournement

Upgrade to Devolutions Server 2025.1.9.0 or higher

Sévérité

Medium 6.9 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

Produits affectés

Devolutions Server 2025.1.7.0 and earlier

CVE(s)

CVE-2025-5382

Improper access control in Tor network blocking feature

Description

Improper access control in Tor network blocking feature in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the tor blocking feature when the Devolutions hosted endpoint is not reachable.

Mesures correctives et solutions de contournement

Upgrade to Devolutions Server 2025.2.2.0 or higher

Sévérité

2.3 Low - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Produits affectés

Devolutions Server 2025.1.10.0 and earlier

CVE(s)

CVE-2025-3768

Improper access control in permissions component

Description

Improper access control in permissions component in Devolutions Server 2025.1.10.0 and earlier allows an authenticated user to bypass the "Edit permission" permission by bypassing the client side validation.

Mesures correctives et solutions de contournement

Upgrade to Devolutions Server 2025.2.2.0 or higher

Sévérité

Medium 5.3 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Produits affectés

Devolutions Server 2025.1.10.0 and earlier

CVE(s)

CVE-2025-0691