Client side permission bypass in Devolutions Remote Desktop Manager 2023.3.4.0 and earlier on iOS allows an attacker that has access to the application to execute entries in a SQL data source without restriction.
The permission control mechanism is implemented exclusively on the client side, which means it can be bypassed without modifying the server. An attacker with access to the application on an iOS device can circumvent the imposed restrictions and perform entries in the SQL data source to which they should not normally have access. The vulnerability is classified as CWE-732, which is improper assignment of permissions to critical resources.
An attacker can perform arbitrary entries in the SQL data source without restrictions, leading to potential unauthorized access to data, its modification, or breach of confidentiality and integrity of stored remote connections.
Devolutions Remote Desktop Manager should be updated to a version higher than 2023.3.4.0. Detailed information about available patches can be found in the official manufacturer's bulletin: https://devolutions.net/security/advisories/DEVO-2023-0023/
Devolutions Remote Desktop Manager version 2023.3.4.0 and earlier on iOS platform (Apple iPhone OS).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApple iOS
OSApplewszystkie wersjeDevolutions Remote Desktop Manager
APPDevolutions< 2023.3.5.0
Related vulnerabilities
Apple iOS/iPadOS/macOS — out-of-bounds write przy przetwarzaniu obrazu
Apple — memory corruption (RCE) w przetwarzaniu strumieni audio
Apple: Obejście Pointer Authentication w iOS, macOS i innych platformach
Apple WebKit: out-of-bounds write umożliwiający ucieczkę z sandbox przeglądarki
Use-after-free w Apple iOS/iPadOS/macOS — privilege escalation przez aplikację