Login Sign Up

CVE-2023-0953

8.8 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Devolutions Server allows authenticated attackers to execute arbitrary SQL commands through insufficient input sanitization in the documentation feature. Attackers could potentially access, modify, or delete sensitive data in the database. Organizations running Devolutions Server 2022.3.12 or earlier are affected.

💻 Affected Systems

Products:
  • Devolutions Server
Versions: 2022.3.12 and earlier
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated access to the documentation feature.

📦 What is this software?

Devolutions Server by Devolutions

View all CVEs affecting Devolutions Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data exfiltration, privilege escalation, and potential remote code execution on the underlying server.

🟠

Likely Case

Unauthorized access to sensitive credential data stored in the Devolutions Server database, potentially enabling lateral movement within the network.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

SQL injection vulnerabilities are typically easy to exploit once discovered, but this requires authenticated access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2022.3.13 or later

Vendor Advisory: https://devolutions.net/security/advisories/DEVO-2023-0003

Restart Required: Yes

Instructions:

1. Backup your Devolutions Server database and configuration. 2. Download and install Devolutions Server 2022.3.13 or later from the official website. 3. Follow the upgrade instructions in the vendor documentation. 4. Restart the Devolutions Server service.

🔧 Temporary Workarounds

Disable documentation feature

all

Temporarily disable the vulnerable documentation feature until patching is possible.

Implement WAF rules

all

Deploy web application firewall rules to block SQL injection patterns targeting the documentation endpoint.

🧯 If You Can't Patch

  • Restrict access to Devolutions Server to only trusted users and networks
  • Implement database-level controls to limit SQL user permissions to minimum required

🔍 How to Verify

Check if Vulnerable:

Check Devolutions Server version in administration console or via version file in installation directory.

Check Version:

Check web interface or examine version.txt in installation directory

Verify Fix Applied:

Verify version is 2022.3.13 or later and test documentation feature with SQL injection test payloads.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed authentication attempts followed by documentation feature access
  • Unusual patterns in Devolutions Server application logs

Network Indicators:

  • SQL injection patterns in HTTP requests to documentation endpoints
  • Unusual database connections from Devolutions Server host

SIEM Query:

source="devolutions.log" AND ("documentation" AND ("' OR", "UNION", "SELECT", "INSERT", "DELETE"))

📊 Metadata

CVE ID: CVE-2023-0953
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: March 1, 2023
Last Updated: March 12, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-0953, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)