CVE-2023-1939 No access control for the OTP key on OTP entries

2023-04-1117:47:49

DEVOLUTIONS

www.cve.org

cve-2023-1939

access control

otp entries

remote desktop manager

non admin users

user interface

AI Score

Confidence

High

EPSS

0.001

Percentile

17.5%

JSON

No access control for the OTP key

on OTP entries

in Devolutions Remote Desktop Manager Windows 2022.3.33.0 and prior versions and Remote Desktop Manager Linux 2022.3.2.0 and prior versions allows non admin users to see OTP keys via the user interface.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Windows"
    ],
    "product": "Remote Desktop Manager",
    "vendor": "Devolutions",
    "versions": [
      {
        "lessThan": "2022.3.34.0",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  },
  {
    "defaultStatus": "unaffected",
    "platforms": [
      "Linux"
    ],
    "product": "Remote Desktop Manager",
    "vendor": "Devolutions",
    "versions": [
      {
        "lessThan": "2022.3.2.1",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]

References

devolutions.net/security/advisories/DEVO-2023-0009