CVE-2024-1764

Improper privilege management in Just-in-time JIT elevation module in Devolutions Server 2023.3.14.0 and earlier allows a user to continue using the elevated privilege even after the expiration under specific circumstances...

CVE-2024-1764

CVE-2024-1764 affects Devolutions Server 2023.3.14.0 and earlier, due to improper privilege management in the Just-in-time (JIT) elevation module. The root cause is the JIT privilege handling, which allows a user to continue using elevated privileges after expiration under certain circumstances. ...

CVE-2024-1898

Improper access control in the notification feature in Devolutions Server 2023.3.14.0 and earlier allows a low privileged user to change notifications settings configured by an administrator...

CVE-2024-1898

Improper access control in the notification feature in Devolutions Server 2023.3.14.0 and earlier allows a low privileged user to change notifications settings configured by an administrator...

CVE-2024-1898

CVE-2024-1898 : Devolutions Server (versions up to 2023.3.14.0) has improper access control in the notification feature, allowing a low-privileged user to change administrator-configured notification settings. The root cause is access control weakness that lets non-admins modify admin-defined con...

CVE-2024-1900

Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an authenticated user via an identity provider to stay authenticated after his user is disabled or deleted in the identity provider such as Okta or Microsoft O365. The use...

CVE-2024-1900

Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an authenticated user via an identity provider to stay authenticated after his user is disabled or deleted in the identity provider such as Okta or Microsoft O365. The use...

CVE-2024-1900

This CVE affects Devolutions Server (versions up to 2023.3.14.0) where improper session management in the identity provider authentication flow can allow an authenticated user, validated via an external IdP (e.g., Okta or O365), to remain authenticated after their identity is disabled or deleted....

CVE-2024-1901

CVE-2024-1901 describes a denial of service in Devolutions Server 2023.3.14.0 during PAM password rotation in the check-in process. An authenticated user with specific PAM permissions can render PAM credentials unavailable. The CVSS vector indicates network access, low attack complexity, and low ...

CVE-2024-1901

Denial of service in PAM password rotation during the check-in process in Devolutions Server 2023.3.14.0 allows an authenticated user with specific PAM permissions to make PAM credentials unavailable...

CVE-2023-6588

Offline mode is always enabled, even if permission disallows it, in Devolutions Server data source in Devolutions Workspace 2023.3.2.0 and earlier. This allows an attacker with access to the Workspace application to access credentials when offline...

CVE-2023-6588

Offline mode is always enabled, even if permission disallows it, in Devolutions Server data source in Devolutions Workspace 2023.3.2.0 and earlier. This allows an attacker with access to the Workspace application to access credentials when offline...

CVE-2023-6588

CVE-2023-6588 affects Devolutions Workspace (versions 2023.3.2.0 and earlier) where offline mode is always enabled in the Devolutions Server data source. The underlying issue allows an attacker with access to the Workspace application to access credentials while offline. The NVD entry lists a CVS...

CVE-2023-6588

Offline mode is always enabled, even if permission disallows it, in Devolutions Server data source in Devolutions Workspace 2023.3.2.0 and earlier. This allows an attacker with access to the Workspace application to access credentials when offline...

CVE-2023-6264

Information leak in Content-Security-Policy header in Devolutions Server 2023.3.7.0 allows an unauthenticated attacker to list the configured Devolutions Gateways endpoints...

CVE-2023-6264

Information leak in Content-Security-Policy header in Devolutions Server 2023.3.7.0 allows an unauthenticated attacker to list the configured Devolutions Gateways endpoints...

Information disclosure

Information leak in Content-Security-Policy header in Devolutions Server 2023.3.7.0 allows an unauthenticated attacker to list the configured Devolutions Gateways endpoints...

CVE-2023-6264

The CVE-2023-6264 case concerns Devolutions Server (version 2023.3.7.0). The issue is an information leak in the Content-Security-Policy header that allows an unauthenticated attacker to list configured Devolutions Gateways endpoints, i.e., information disclosure with network access (no authentic...

CVE-2023-6264

Information leak in Content-Security-Policy header in Devolutions Server 2023.3.7.0 allows an unauthenticated attacker to list the configured Devolutions Gateways endpoints...

PT-2023-32581 · Devolutions · Devolutions Server

Name of the Vulnerable Software and Affected Versions: Devolutions Server version 2023.3.7.0 Description: The issue concerns an information leak in the Content-Security-Policy header, allowing an unauthenticated attacker to list the configured Devolutions Gateways endpoints. Recommendations: For...