Security updates on vulnerabilities

This page lists security vulnerability fixes made in Device Control Plus.

Follow general security recommendations to fortify your Device Control Server.

CVE Synopsis Severity
Privilege Escalation Vulnerability A Privilege Escalation vulnerability raised in ManageEngine Bug Bounty program. HIGH
Authenticated SQL Injection Vulnerability (CVE-2022-47523) A SQL injection (SQLi) vulnerability. CRITICAL
CVE-2020-1968 The Raccoon attack exploits a flaw in the TLS specification. LOW
CVE-2020-13943 HTTP/2 pseudo headers. MEDIUM
CVE-2020-9490 A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request resulted in a crash. HIGH
CVE-2020-13935 Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. HIGH
CVE-2020-13934 OutOfMemoryException leads to a denial of service. HIGH
CVE-2020-14350 PostgreSQL extensions did not use search_path safely in their installation script. HIGH
CVE-2020-11984 Integer overflow in the mod_proxy_uwsgi. CRITICAL
CVE-2020-11993 Concurrent use of memory pools on the HTTP/2 module. HIGH
Integer Overflow Vulnerability (CVE-2020-15588) Integer overflow in InternetSendRequestEx and InternetSendRequestByBitrate leading to a heap-based buffer overflow and Remote Code Execution with SYSTEM privileges. CRITICAL
CVE-2020-11996 Triggers high CPU usage for several seconds, rendering the server unresponsive. HIGH
CVE-2020-9484 Allows any anonymous attacker with internet access to submit a malicious request to a Tomcat Server that has PersistentManager enabled using FileStore. HIGH
Remote Code Execution Vulnerability (CVE-2021-44228) Allows malicious users to execute arbitrary code on a machine or pod loaded from LDAP servers by using a bug found in the log4j library. CRITICAL