Security & Compliance

DEVO-2023-0010

Summary

Devolutions Server support ticket endpoints are affected by a security vulnerability.

Affected Products

Devolutions Server 2023.1.5.0 and below

Change Log

Initial publication - 2023-04-17 Fixed typo - 2023-04-24

Severity

Medium

Product

Devolutions Server

Fix Version

2023.1.6.0

Endpoint for diagnostic logs not limited to administrators

Description

Insufficient access control in support ticket feature in Devolutions Server 2023.1.5.0 and below allows an authenticated attacker to send support tickets and download diagnostic files via specific endpoints.

Remediation and Workarounds

Upgrade to Devolutions Server 2023.1.6.0 or higher

Severity

Medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected Products

Devolutions Server 2023.1.5.0 and earlier.

CVE(s)

CVE-2023-2118