devolutions Server v0 - 18 CVEs

CVE-2024-12148

Incorrect authorization in permission validation component in Devolutions Server 2024.3.6.0 and earlier allows an authenticated user to access some reporting endpoints.

MEDIUM CVSS 4.3 Published Dec 04, 2024

CVE-2024-12151

Incorrect permission assignment in the user migration feature in Devolutions Server 2024.3.8.0 and earlier allows users to retain their old permission sets.

MEDIUM CVSS 5.0 Published Dec 04, 2024

Incorrect authorization in the permission component in Devolutions Server 2024.3.7.0 and earlier allows an authenticated user to view the password history of an entry without the view password permission.

MEDIUM CVSS 6.5 Published Dec 04, 2024

CVE-2024-4846

Authentication bypass in the 2FA feature in Devolutions Server 2024.1.14.0 and earlier allows an authenticated attacker to authenticate to another user without being asked for the 2FA via another browser tab.

MEDIUM CVSS 6.3 Published Jun 25, 2024

CVE-2024-5072

Improper input validation in PAM JIT elevation feature in Devolutions Server 2024.1.11.0 and earlier allows an authenticated user with access to the PAM JIT elevation feature to manipulate the LDAP filter query via a specially crafted request.

MEDIUM CVSS 6.5 Published May 17, 2024

CVE-2024-3545

Improper permission handling in the vault offline cache feature in Devolutions Remote Desktop Manager 2024.1.20 and earlier on windows and Devolutions Server 2024.1.8 and earlier allows an attacker to access sensitive informations contained in the offline cache file by gaining access to a computer where the software is installed even though the offline mode is disabled.

MEDIUM CVSS 4.3 Published Apr 09, 2024

CVE-2024-2918

Improper input validation in PAM JIT elevation feature in Devolutions Server 2024.1.6 and earlier allows an attacker with access to the PAM JIT elevation feature to forge the displayed group in the PAM JIT elevation checkout request via a specially crafted request.

LOW CVSS 3.6 Published Apr 09, 2024

CVE-2024-2921

Improper access control in PAM vault permissions in Devolutions Server 2024.1.10.0 and earlier allows an authenticated user with access to the PAM to access unauthorized PAM entries via a specific set of permissions.

CRITICAL CVSS 9.8 Published Mar 26, 2024

CVE-2024-2915

Improper access control in PAM JIT elevation in Devolutions Server 2024.1.6 and earlier allows an attacker with access to the PAM JIT elevation feature to elevate themselves to unauthorized groups via a specially crafted request.

UNKNOWN CVSS 8.8 Published Mar 26, 2024

CVE-2024-1764

Improper privilege management in Just-in-time (JIT) elevation module in Devolutions Server 2023.3.14.0 and earlier allows a user to continue using the elevated privilege even after the expiration under specific circumstances

UNKNOWN CVSS 7.6 Published Mar 05, 2024

CVE-2024-1898

Improper access control in the notification feature in Devolutions Server 2023.3.14.0 and earlier allows a low privileged user to change notifications settings configured by an administrator.

LOW CVSS 3.9 Published Mar 05, 2024

CVE-2024-1900

Improper session management in the identity provider authentication flow in Devolutions Server 2023.3.14.0 and earlier allows an authenticated user via an identity provider to stay authenticated after his user is disabled or deleted in the identity provider such as Okta or Microsoft O365. The user will stay authenticated until the Devolutions Server token expiration.

MEDIUM CVSS 5.5 Published Mar 05, 2024

Version 0

Known Vulnerabilities

CVE-2024-12148

CVE-2024-12151

CVE-2024-12196

CVE-2024-4846

CVE-2024-5072

CVE-2024-3545

CVE-2024-2918

CVE-2024-2921

CVE-2024-2915

CVE-2024-1764

CVE-2024-1898

CVE-2024-1900

CVE-2024-1901

CVE-2023-6264

CVE-2023-5575

CVE-2023-5240

CVE-2023-2400

CVE-2023-1603