7 matches found
CVE-2021-23925
Devolutions Server (prior to version 2020.3) contains a cross-site scripting (XSS) vulnerability in Document entries. The issue affects the Document-type data handling and allows injecting JavaScript code, as described across multiple CVE references (CVE-2021-23925) with CVSS v3.1 base score 6.1 ...
CVE-2021-23924
Summary: Devolutions Server prior to 2020.3 contains an information-disclosure vulnerability where diagnostic files expose sensitive data. Affected product: Devolutions Server (versions before 2020.3). Vulnerability: Exposure of sensitive information in diagnostic files. Root cause stated as info...
CVE-2021-23923
The CVE concerns Devolutions Server prior to 2020.3 with a Broken Authentication issue involving Windows domain users. Public documents identify affected software and the vulnerability type but do not provide exploit details, exact root cause, or remediation steps within the supplied sources. Mon...
CVE-2021-23921
CVE-2021-23921 affects Devolutions Server prior to 2020.3. The issue is broken access control on Password List entry elements, as described in the CVE entry and corroborated by NVD/related records. The connected documents confirm the affected software and the underlying flaw (inadequate access re...
CVE-2021-28157
CVE-2021-28157 affects Devolutions Server and Devolutions Server LTS. The vulnerability is a SQL injection in the API endpoint api/security/userinfo/delete that allows an administrative user to execute arbitrary SQL commands. Affected versions are Devolutions Server before 2021.1 and Devolutions ...
CVE-2021-28048
The CVE-2021-28048 entry concerns Devolutions Server (versions prior to 2021.1 and Devolutions Server LTS prior to 2020.3.18). The root cause is an overly permissive Cross-Origin Resource Sharing (CORS) policy that allows a remote attacker to leak cross-origin data via a specially crafted HTML pa...
CVE-2021-36382
CVE-2021-36382 affects Devolutions Server prior to 2021.1.18 and LTS prior to 2020.3.20. The issue allows interception of private keys via a man-in-the-middle attack against the connections/partial endpoint, which accepts plaintext. Affected components and exact root cause are described across mu...