CVE-2021-23925

Devolutions Server (prior to version 2020.3) contains a cross-site scripting (XSS) vulnerability in Document entries. The issue affects the Document-type data handling and allows injecting JavaScript code, as described across multiple CVE references (CVE-2021-23925) with CVSS v3.1 base score 6.1 ...

CVE-2021-23924

Summary: Devolutions Server prior to 2020.3 contains an information-disclosure vulnerability where diagnostic files expose sensitive data. Affected product: Devolutions Server (versions before 2020.3). Vulnerability: Exposure of sensitive information in diagnostic files. Root cause stated as info...

CVE-2024-2921

The CVE concerns Devolutions Server (version family up to 2024.1.10.0) with an improper access control flaw in PAM vault permissions. An authenticated user who can access the PAM may reach unauthorized PAM entries due to the misconfigured permissions. Documents consistently describe the affected ...

CVE-2021-23923

The CVE concerns Devolutions Server prior to 2020.3 with a Broken Authentication issue involving Windows domain users. Public documents identify affected software and the vulnerability type but do not provide exploit details, exact root cause, or remediation steps within the supplied sources. Mon...

CVE-2021-23921

CVE-2021-23921 affects Devolutions Server prior to 2020.3. The issue is broken access control on Password List entry elements, as described in the CVE entry and corroborated by NVD/related records. The connected documents confirm the affected software and the underlying flaw (inadequate access re...

CVE-2021-28157

CVE-2021-28157 affects Devolutions Server and Devolutions Server LTS. The vulnerability is a SQL injection in the API endpoint api/security/userinfo/delete that allows an administrative user to execute arbitrary SQL commands. Affected versions are Devolutions Server before 2021.1 and Devolutions ...

CVE-2022-3781

CVE-2022-3781 affects Devolutions Remote Desktop Manager (versions 2022.2.26 and earlier) and Devolutions Server (versions 2022.3.1 and earlier). The root cause is that Dashlane passwords and Keepass Server passwords stored in My Account Settings are not encrypted in the database, allowing databa...

CVE-2024-1901

CVE-2024-1901 describes a denial of service in Devolutions Server 2023.3.14.0 during PAM password rotation in the check-in process. An authenticated user with specific PAM permissions can render PAM credentials unavailable. The CVSS vector indicates network access, low attack complexity, and low ...

CVE-2024-2915

CVE-2024-2915 affects Devolutions Server up to version 2024.1.6, where a flaw in the PAM JIT elevation feature permits an attacker with PAM JIT access to elevate to unauthorized groups via a specially crafted request. The issue is categorized as improper access control; CVSS v3.1 base score 8.8 (...

CVE-2022-33996

CVE-2022-33996 affects Devolutions Server older than 2022.2. The issue is incorrect permission management where a new user with a preexisting username inherits the permissions of the previous user. Documented impact includes potential confidentiality, integrity, and availability concerns, with CV...

CVE-2025-1231

The CVE-2025-1231 affects Devolutions Server 2024.3.10.0 and earlier, caused by an improper password reset in the PAM module that lets an authenticated user reuse the oracle password after check-in due to a crash in the password reset flow. Exploitation details are not provided in the documents. ...

CVE-2025-2280

In Devolutions Server, CVE-2025-2280 corresponds to improper access control in the Web Extension Restrictions feature, affecting version 2024.3.4.0 and earlier. An authenticated user can bypass the browser extension restriction, per sources describing this vulnerability. The provided documents co...

CVE-2021-28048

The CVE-2021-28048 entry concerns Devolutions Server (versions prior to 2021.1 and Devolutions Server LTS prior to 2020.3.18). The root cause is an overly permissive Cross-Origin Resource Sharing (CORS) policy that allows a remote attacker to leak cross-origin data via a specially crafted HTML pa...

CVE-2023-1603

CVE-2023-1603 affects Devolutions Server 2022.3.13 and earlier: a permission bypass vulnerability in the User vault when importing or synchronizing entries, due to an ID collision that lets users with restricted rights bypass entry permissions. The reported impact is that integrity of access cont...

CVE-2023-1201

CVE-2023-1201 affects Devolutions Server 2022.3.12 and earlier, with an improper access control issue in the secure messages feature. An authenticated attacker who possesses the message UUID can access the data contained in that message, per multiple sources. The CVSSv3.1 base score is 6.5 (Mediu...

CVE-2024-1764

CVE-2024-1764 affects Devolutions Server 2023.3.14.0 and earlier, due to improper privilege management in the Just-in-time (JIT) elevation module. The root cause is the JIT privilege handling, which allows a user to continue using elevated privileges after expiration under certain circumstances. ...

CVE-2025-2278

CVE-2025-2278 affects Devolutions Server versions prior to or equal to 2024.3.13. The issue is improper access control in the temporary access requests and checkout requests endpoints, enabling an authenticated user to view information about these requests via a known request ID. The provided met...

CVE-2025-4316

CVE-2025-4316 describes an improper access control in the PAM feature of Devolutions Server that enables a PAM user to self-approve requests, contrary to policy. Affected versions include 2025.1.3.0–2025.1.6.0 and all versions up to 2024.3.15.0. The issue’s root cause is restricted to PAM workflo...

CVE-2022-2316

CVE-2022-2316 : The connected sources confirm an HTML injection vulnerability in Devolutions Server prior to 2022.2 affecting the handling of secure messages. The root cause is injection of HTML tags into a secure message (including its header, per CNNVD) that can alter how the page renders or ca...

CVE-2024-12196

CVE-2024-12196 affects Devolutions Server 2024.3.7.0 and earlier due to incorrect authorization in the permissions component, allowing an authenticated user to view the password history of an entry without the view password permission. Documents identify the affected software and the underlying c...

CVE-2023-5358

CVE-2023-5358 affects Devolutions Server (versions ≤ 2023.2.10.0). The issue is an improper access control in the Report log filters feature, which allows an attacker to retrieve logs from vaults or entries beyond their permissions via the report request URL query parameters. The public documenta...

CVE-2025-3517

CVE-2025-3517 affects Devolutions Server (versions ≤ 2025.1.5.0) and concerns the PAM JIT elevation feature. The root cause is an incorrect privilege assignment caused by failure to update the internal account SID when updating a username, enabling a PAM user to elevate a previously configured us...

CVE-2024-12148

CVE-2024-12148 affects Devolutions Server 2024.3.6.0 and earlier. The root cause is incorrect authorization in the permission validation component, allowing an authenticated user to access some reporting endpoints. Impact is limited to unauthorized access to reporting data as described in multipl...

CVE-2024-12151

CVE-2024-12151 affects Devolutions Server (versions 2024.3.8.0 and earlier) due to an incorrect permission assignment in the User Migration feature, allowing users to retain their old permission sets. The vulnerable component is the User Migration feature; root cause: incorrect permission handlin...

CVE-2025-0691

CVE-2025-0691 concerns Devolutions Server versions 2025.1.10.0 and earlier, where improper access control in the permissions component lets an authenticated user bypass the "Edit permission" permission by bypassing client-side validation. The impact is limited to bypassing permission checks to ed...

CVE-2025-4433

CVE-2025-4433 affects Devolutions Server (versions 2025.1.7.0 and earlier). The vulnerability arises from improper access control in User Group Management, enabling a non-administrative user who has both User Management and User Group Management permissions to escalate privileges by adding users ...

CVE-2023-0661

CVE-2023-0661 affects Devolutions Server. The vulnerability is an improper access control flaw that allows an authenticated user to access sensitive data they should not be able to view. The root cause is an access-control weakness; the impact is stated as high confidentiality impact with no inte...

CVE-2023-0951

CVE-2023-0951 affects Devolutions Server 2022.3.12 and earlier, due to improper access controls on certain API endpoints. A standard privileged user could perform privileged actions, with impact described as high for confidentiality, integrity, and availability. The provided documents identify th...

CVE-2023-0952

CVE-2023-0952 affects Devolutions Server 2022.3.12 and earlier, due to improper access controls on entries that could allow an authenticated user to access sensitive data without proper authorization. The CVE has a NVD score of 6.5 (Medium) with network attack vector, low attack complexity, and p...

CVE-2023-2445

Summary of CVE-2023-2445 (Devolutions Server) Affected software: Devolutions Server, versions 2023.1.1 and earlier. Vulnerability: Improper access control in the Subscriptions Folder path filter. This allows attackers with administrator privileges to retrieve usage information about folders in a ...

CVE-2025-2003

Summary (CVE-2025-2003) : Affected product Devolutions Server (versions 2024.3.12 and earlier) contains an incorrect authorization flaw in PAM vaults that allows an authenticated user to bypass the ‘add in root’ permission. Public sources consistently describe this as an authorization bypass vuln...

CVE-2025-4493

The CVE-2025-4493 entry concerns Devolutions Server, where an improper privilege assignment in PAM JIT privilege sets can let a PAM user perform PAM JIT requests on unauthorized groups due to a user interface issue. Impacted versions include 2025.1.3.0–2025.1.7.0 and 2024.3.15.0 and earlier. The ...

CVE-2025-5382

CVE-2025-5382 concerns Devolutions Server (versions ≤ 2025.1.7.0) where improper access control in the user MFA feature lets a user with the user-management permission remove or change administrators’ MFA settings. The vulnerability affects the MFA configuration component and is triggered by insu...

CVE-2025-3768

CVE-2025-3768 affects Devolutions Server (versions 2025.1.10.0 and earlier) due to improper access control in the Tor network blocking feature. An authenticated user can bypass the Tor blocking when the Devolutions hosted endpoint is unreachable, with a CVSSv3.1 base score of 5.0 (Medium). No exp...

CVE-2024-5072

The CVE-2024-5072 entry describes a vulnerability in Devolutions Server (versions up to 2024.1.11.0) where improper input validation in the PAM JIT elevation feature allows an authenticated user to manipulate LDAP filter queries through a specially crafted request. Documented details include affe...

CVE-2025-2277

CVE-2025-2277 affects Devolutions Server

CVE-2021-36382

CVE-2021-36382 affects Devolutions Server prior to 2021.1.18 and LTS prior to 2020.3.20. The issue allows interception of private keys via a man-in-the-middle attack against the connections/partial endpoint, which accepts plaintext. Affected components and exact root cause are described across mu...

CVE-2023-2118

CVE-2023-2118 affects Devolutions Server 2023.1.5.0 and earlier. The issue is insufficient access control in the support ticket feature, enabling an authenticated attacker to send support tickets and download diagnostic files through specific endpoints. Impact is described as unauthorized access ...

CVE-2024-10971

CVE-2024-10971 affects Devolutions DVLS 2024.3.6 and earlier: an improper access control in the Password History feature allows a malicious authenticated user to obtain sensitive data via faulty permissions. Red Hat and Nessus/Nessus-derived sources corroborate information disclosure in DVLS 2024...

CVE-2024-1898

CVE-2024-1898 : Devolutions Server (versions up to 2023.3.14.0) has improper access control in the notification feature, allowing a low-privileged user to change administrator-configured notification settings. The root cause is access control weakness that lets non-admins modify admin-defined con...

CVE-2024-6512

CVE-2024-6512: Affects Devolutions Server 2024.2.10 and earlier. The issue is an authorization bypass in the PAM access request approval mechanism that lets authenticated users with approval permissions approve their own requests, bypassing security restrictions. Impact described as an integrity ...

CVE-2024-1900

This CVE affects Devolutions Server (versions up to 2023.3.14.0) where improper session management in the identity provider authentication flow can allow an authenticated user, validated via an external IdP (e.g., Okta or O365), to remain authenticated after their identity is disabled or deleted....

CVE-2023-0953

The CVE concerns Devolutions Server (version 2022.3.12 and earlier). The root cause is insufficient input sanitization in the documentation feature, enabling an authenticated attacker to perform an SQL Injection and potentially access system resources. Impact is described as high (C/H/I/A), with ...

CVE-2023-5240

CVE-2023-5240 concerns Devolutions Server (versions 2023.2.8.0 and earlier) with improper access control in PAM propagation scripts. The root cause, per Red Hat and other sources, is that an attacker with permission to manage PAM propagation scripts can retrieve passwords stored in those scripts ...

CVE-2023-2400

Summary: CVE-2023-2400 affects Devolutions Server 2023.1.8 and earlier. The vulnerability stems from an improper deletion of resources in the user management feature, which allows an administrator to view the vaults of deleted users via database access. Affected software/area: Devolutions Server,...

CVE-2024-3545

CVE-2024-3545 involves Devolutions Remote Desktop Manager (Windows) version 2024.1.20 and earlier, and Devolutions Server version 2024.1.8 and earlier. The vulnerability stems from improper permission handling in the vault offline cache feature, which could allow an attacker with access to the in...

CVE-2023-5575

Devolutions Server CVE-2023-5575 affects versions 2022.3.13.0 and earlier. The issue is improper access control in permission inheritance, enabling a low-privileged, compromised user to access entries via a specific combination of permissions on the entry and its parent. Remediation is to update ...

CVE-2024-4846

CVE-2024-4846 describes an authentication bypass in the 2FA feature of Devolutions Server, affected versions 2024.1.14.0 and earlier. An authenticated attacker can sign in as another user without being prompted for 2FA via another browser tab. The available connected documents confirm the vulnera...

CVE-2024-2918

CVE-2024-2918 affects Devolutions Server 2024.1.6 and earlier, via improper input validation in the PAM JIT elevation feature. The issue allows an attacker with access to PAM JIT elevation to forge the displayed group in the PAM JIT elevation checkout request through a specially crafted request. ...

CVE-2023-6264

The CVE-2023-6264 case concerns Devolutions Server (version 2023.3.7.0). The issue is an information leak in the Content-Security-Policy header that allows an unauthenticated attacker to list configured Devolutions Gateways endpoints, i.e., information disclosure with network access (no authentic...