19 matches found
CVE-2025-1231
The CVE-2025-1231 affects Devolutions Server 2024.3.10.0 and earlier, caused by an improper password reset in the PAM module that lets an authenticated user reuse the oracle password after check-in due to a crash in the password reset flow. Exploitation details are not provided in the documents. ...
CVE-2025-2280
In Devolutions Server, CVE-2025-2280 corresponds to improper access control in the Web Extension Restrictions feature, affecting version 2024.3.4.0 and earlier. An authenticated user can bypass the browser extension restriction, per sources describing this vulnerability. The provided documents co...
CVE-2025-4316
CVE-2025-4316 describes an improper access control in the PAM feature of Devolutions Server that enables a PAM user to self-approve requests, contrary to policy. Affected versions include 2025.1.3.0–2025.1.6.0 and all versions up to 2024.3.15.0. The issue’s root cause is restricted to PAM workflo...
CVE-2025-2278
CVE-2025-2278 affects Devolutions Server versions prior to or equal to 2024.3.13. The issue is improper access control in the temporary access requests and checkout requests endpoints, enabling an authenticated user to view information about these requests via a known request ID. The provided met...
CVE-2025-2003
Summary (CVE-2025-2003) : Affected product Devolutions Server (versions 2024.3.12 and earlier) contains an incorrect authorization flaw in PAM vaults that allows an authenticated user to bypass the ‘add in root’ permission. Public sources consistently describe this as an authorization bypass vuln...
CVE-2025-3517
CVE-2025-3517 affects Devolutions Server (versions ≤ 2025.1.5.0) and concerns the PAM JIT elevation feature. The root cause is an incorrect privilege assignment caused by failure to update the internal account SID when updating a username, enabling a PAM user to elevate a previously configured us...
CVE-2025-5382
CVE-2025-5382 concerns Devolutions Server (versions ≤ 2025.1.7.0) where improper access control in the user MFA feature lets a user with the user-management permission remove or change administrators’ MFA settings. The vulnerability affects the MFA configuration component and is triggered by insu...
CVE-2025-4433
CVE-2025-4433 affects Devolutions Server (versions 2025.1.7.0 and earlier). The vulnerability arises from improper access control in User Group Management, enabling a non-administrative user who has both User Management and User Group Management permissions to escalate privileges by adding users ...
CVE-2025-2277
CVE-2025-2277 affects Devolutions Server
CVE-2025-8312
CVE-2025-8312 describes a deadlock in Devolutions Server’s PAM automatic check-in feature that can allow a password to stay valid past its intended check-out. Affected versions include Devolutions Server 2025.2.2.0 through 2025.2.5.0 and 2025.1.12.0 and earlier. The root cause is a scheduling-ser...
CVE-2025-13765
CVE-2025-13765 affects Devolutions Server, where email service credentials are exposed to non-administrative users. Public details in connected documents specify affected versions as before 2025.2.21 and before 2025.3.9. The issue’s root cause is credential exposure in the email service, with mul...
CVE-2025-13757
CVE-2025-13757 affects Devolutions Server. The issue is an SQL injection in the last usage logs, exploitable across affected builds through 2025.2.20 and 2025.3.8. CVSS v3.1 base score 8.8 (NETWORK, LOW complexity, LOW privileges, no user interaction). Impact is high on confidentiality, integrity...
CVE-2025-8353
The CVE-2025-8353 entry concerns a UI synchronization issue in Devolutions Server (JIT) that affects versions prior to and including 2025.2.4.0. A remote authenticated attacker could exploit stale UI state during standard checkout processing to gain unauthorized access to deleted JIT Groups. Affe...
CVE-2025-13683
CVE-2025-13683 describes exposure of credentials via unintended requests in Devolutions Server and Devolutions Remote Desktop Manager on Windows. Affected versions: Devolutions Server up to 2025.3.8.0 and Remote Desktop Manager up to 2025.3.23.0. Impact is high confidentiality exposure over netwo...
CVE-2025-11619
The CVE-2025-11619 entry affects Devolutions Server. Affected component: the server’s gateway connection path where improper certificate validation occurs during gateway connections. Root cause: improper certificate validation enables a man-in-the-middle position to intercept traffic when establi...
CVE-2025-12485
CVE-2025-12485 affects Devolutions Server, with vulnerable cookie handling in pre-MFA flow. A low-privileged authenticated user can impersonate another account by replaying the pre-MFA cookie; MFA verification is not bypassed. Affected versions include Devolutions Server 2025.3.2.0–2025.3.5.0 and...
CVE-2025-11957
Devolutions Server (versions up to and including 2025.2.12.0) is affected by an improper authorization vulnerability in the temporary access workflow. An authenticated basic user can self-approve or approve others’ temporary access requests, enabling unauthorized access to vaults and entries via ...
CVE-2025-13758
CVE-2025-13758 is tied to Devolutions Server and describes exposure of credentials in unintended requests. The connected Nessus entry (DEVO-2025-0018) confirms this issue alongside related CVEs and states affected versions include Devolutions Server up to 2025.2.20 and up to 2025.3.8, respectivel...
CVE-2025-12808
CVE-2025-12808 affects Devolutions Server. The vulnerability is due to improper access control that allows a View-only user to retrieve sensitive third-level nested fields (e.g., password lists custom values), potentially leading to password disclosure. Affected versions include Devolutions Serve...