Security & Compliance

DEVO-2024-0009

Summary

Devolutions Server is affected by a vulnerability.

Affected Products

Devolutions Server 2024.1.14.0 and earlier

Change Log

25/06/2024 - Initial publication

Severity

Medium

Product

Devolutions Server

Fix Version

2024.2.3

2FA bypass in Devolutions Server

Description

Authentication bypass in the 2FA feature in Devolutions Server 2024.1.14.0 and earlier allows an authenticated attacker to authenticate to another user without being asked for the 2FA via another browser tab.

The attacker needs to know his victims username and password to perform this attack.

Remediation and Workarounds

Upgrade to Devolutions Server 2024.1.15 or higher.

Severity

7.2 High - CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/U:Amber

Affected Products

Devolutions Server 2024.1.14 and earlier

CVE(s)

CVE-2024-4846