Veeam Releases Security Advisory

Veeam have released a security advisory addressing multiple vulnerabilities affecting Veeam ONE. One vulnerability with a CVSSv3.1 score of 9.9 could allow an attacker to perform remote code execution.

Two of the vulnerabilities, one critical and one medium, can be leveraged by an attacker to gain unprivileged access to data. The final, medium vulnerability could allow read-access to the Dashboard Schedule.

• CVE-2023-38547 - CWE-94 - Improper Control of Generation of Code ('Code Injection')

This vulnerability with a CVSS v3.1 score of 9.9, could allow an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. If exploited the attacker could perform remote code execution on the SQL server hosting the Veeam ONE configuration database.

• CVE-2023-38548

This vulnerability with a CVSS v3.1 score of 9.8, could allow an unprivileged user with access to the Veeam ONE Web Client to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service.

• CVE-2023-38549 - CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

This vulnerability with a CVSS v3.1 score of 4.5, could allow an unprivileged user with access to the Veeam ONE Web Client to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service.  

• CVE-2023-41723

This vulnerability with a CVSS v3.1 score of 4.3, could allow a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule.