Skip to main content

Veeam Releases Security Advisory

The security advisory addresses two critical and two medium vulnerabilities affecting Veeam ONE

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

The security advisory addresses two critical and two medium vulnerabilities affecting Veeam ONE


Affected platforms

The following platforms are known to be affected:

Threat details

Introduction

Veeam have released a security advisory addressing multiple vulnerabilities affecting Veeam ONE. One vulnerability with a CVSSv3.1 score of 9.9 could allow an attacker to perform remote code execution.

Two of the vulnerabilities, one critical and one medium, can be leveraged by an attacker to gain unprivileged access to data. The final, medium vulnerability could allow read-access to the Dashboard Schedule.


Vulnerability details

  • CVE-2023-38547CWE-94 - Improper Control of Generation of Code ('Code Injection')

This vulnerability with a CVSS v3.1 score of 9.9, could allow an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. If exploited the attacker could perform remote code execution on the SQL server hosting the Veeam ONE configuration database.

  • CVE-2023-38548

This vulnerability with a CVSS v3.1 score of 9.8, could allow an unprivileged user with access to the Veeam ONE Web Client to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service.

  • CVE-2023-38549 CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

This vulnerability with a CVSS v3.1 score of 4.5, could allow an unprivileged user with access to the Veeam ONE Web Client to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service.  

  • CVE-2023-41723

This vulnerability with a CVSS v3.1 score of 4.3, could allow a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule. 


Remediation advice

Affected organisations are encouraged to review the Veeam advisory and apply the relevant updates.


Definitive source of threat updates


Last edited: 7 November 2023 2:32 pm