Overly Permissive CORS Policy in Devolutions Server by Devolutions
CVE-2021-28048

6.5MEDIUM

Key Information:

Vendor: Devolutions
Status: Devolutions Server
Vendor: CVE Published:; 14 April 2021

What is CVE-2021-28048?

Devolutions Server prior to version 2021.1 and Devolutions Server LTS versions earlier than 2020.3.18 have an overly permissive Cross-Origin Resource Sharing (CORS) policy. This vulnerability can be exploited by a remote attacker to leak sensitive cross-origin data through a specially crafted HTML page, potentially compromising user data and privacy. Organizations using affected versions should apply the necessary updates to mitigate this security risk.

References

https://devolutions.net/security/advisories/DEVO-2021-0004

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 14, 2021
Vulnerability Reserved
Mar 5, 2021