16 matches found
CVE-2021-23925
An issue was discovered in Devolutions Server before 2020.3. There is a cross-site scripting (XSS) vulnerability in entries of type Document.
CVE-2022-3781
Dashlane password and Keepass Server password in My Account Settings are not encrypted in the database in Devolutions Remote Desktop Manager 2022.2.26 and prior versions and Devolutions Server 2022.3.1 and prior versions which allows database users to read the data. This issue affects :Remote Deskt...
CVE-2021-28048
An overly permissive CORS policy in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2024-12196
Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to view the password history of an entry without the view password permission.
CVE-2023-1201
Improper access control in the secure messages feature in Devolutions Server 2022.3.12 and below allows an authenticated attacker that possesses the message UUID to access the data it contains.
CVE-2023-0952
Improper access controls on entries in Devolutions Server2022.3.12 and earlier could allow an authenticated user to accesssensitive data without proper authorization.
CVE-2025-2278
Improper access control in temporary access requests and checkout requests endpoints in Devolutions Server 2024.3.13 and earlier allows an authenticated user to access information about these requests via a known request ID.
CVE-2024-5072
Improper input validation in PAM JIT elevation feature in Devolutions Server 2024.1.11.0 and earlier allows an authenticated user with access to the PAM JIT elevation feature to manipulate the LDAP filter query via a specially crafted request.
CVE-2025-4493
Improper privilege assignment in PAM JIT privilege sets in DevolutionsServer allows a PAM user to perform PAM JITrequests on unauthorized groups by exploiting a user interface issue. This issue affects the following versions : Devolutions Server 2025.1.3.0 through 2025.1.7.0 Devolutions Server 2024...
CVE-2025-3517
Incorrect privilege assignment in PAM JIT elevation feature in Devolutions Server 2025.1.5.0 and earlier allows a PAM user to elevate a previously configured user configured in a PAM JIT account via failure to update the internal account’s SID when updating the username.
CVE-2023-0661
Improper access control in Devolutions Server allows an authenticated user to access unauthorized sensitive data.
CVE-2024-6512
Authorization bypass in the PAM access request approval mechanism in Devolutions Server 2024.2.10 and earlier allows authenticated users with permissions to approve their own requests, bypassing intended security restrictions, via the PAM access request approval mechanism.
CVE-2025-5382
Improper access control in users MFA feature in Devolutions Server 2025.1.7.0 and earlier allows a user with user management permission to remove or change administrators MFA.
CVE-2023-1603
Permission bypass when importing or synchronizing entries in User vault in Devolutions Server 2022.3.13 and prior versions allows users with restricted rights to bypass entry permission via id collision.
CVE-2024-4846
Authentication bypass in the 2FA feature in Devolutions Server 2024.1.14.0 and earlier allows an authenticated attacker to authenticate to another user without being asked for the 2FA via another browser tab.
CVE-2023-5575
Improper access control in the permission inheritance in Devolutions Server 2022.3.13.0 and earlier allows an attacker that compromised a low privileged user to access entries via a specific combination of permissions in the entry and in its parent.