Devolutions Server 2022.1 and earlier
Initial Publication - 2022-07-05
High
Devolutions Server
2022.2
Multiple vulnerabilities were fixed in Devolutions Server 2022.2.
Some HTML tags could be injected in the title of secure messages. Javascript code execution via this injection is not possible due to sanitizing done by the Angular framework. An attacker with access to Devolutions Server could use it to alter the rendering of the page or redirect a user to another site.
Upgrade to Devolutions Server 2022.2
Low - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Devolutions Server 2022.1 and earlier
CVE-2022-2316
When deleting a user, the permission assignments remained in the database. If a new user was created with the same username, the user would get the permissions of that previous user.
Starting with Devolutions Server 2022.2, permissions are assigned based on the user unique ID instead of its username.
Upgrade to Devolutions Server 2022.2
High - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
Devolutions Server 2022.1 and earlier
CVE-2022-33996