Devolutions Remote Desktop Manager Authorization Bypass Vulnerability (DEVO-2024-0016)

From this webpage screenshot, the following key vulnerability information can be obtained: 1. Vulnerability ID: DEVO-2024-0016 2. Affected Products: - Remote Desktop Manager 2024.3.17 and earlier versions 3. Vulnerability Description: - Incorrect Permission Validation Component: In Devolutions Remote Desktop Manager 2024.2.21 and earlier versions, an incorrect permission validation component on Windows allows malicious authenticated users to bypass the "View Password" permission through specific actions. - Authentication Error in SQL Data Source MFA: In Devolutions Remote Desktop Manager 2024.3.17 and earlier versions, the SQL data source MFA authentication on Windows allows authenticated users to bypass MFA verification by switching data sources. - Incorrect Authorization in Add Permission Component: In Devolutions Remote Desktop Manager 2024.2.21 and earlier versions, an incorrect permission validation component on Windows allows authenticated malicious users to bypass the "Add" permission via the import function. 4. Fixed Version: 2024.3.18 5. Mitigation and Workarounds: - For the first vulnerability, upgrade to Remote Desktop Manager 2024.3.10 or later. - For the second vulnerability, upgrade to Remote Desktop Manager 2024.3.18 or later. - For the third vulnerability, upgrade to Remote Desktop Manager 2024.3.10 or later. 6. Vulnerability Severity: - Medium - CVSS Score: 4.0 - Attack Vector (AV): Network - Attack Complexity (AC): Low - User Interaction (UI): None - Privileges Required (PR): Low - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Local - Scope (VI): Loc

Goal Reached Thanks to every supporter — we hit 100%!

Devolutions Remote Desktop Manager Authorization Bypass Vulnerability (DEVO-2024-0016)