Veeam has released hotfixes to resolve four newly discovered vulnerabilities in its IT monitoring and analytics tool, including critical vulnerabilities
Veeam revealed the first bug CVE-2023-38547, a CVSS 9.9-rated flaw in Veeam ONE 11, 11a, and 12. A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database.
The second critical bug tracked as CVE-2023-38548 affects Veeam ONE version 12 and has a CVSS score of 9.8. A vulnerability in Veeam ONE allows an unprivileged user who has access to the Veeam ONE Web Client the ability to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service.
The remaining two vulnerabilities are rated medium severity. The first, CVE-2023-38549, has a CVSS score of 4.5 and affects Veeam ONE 11, 11a, and 12. The vendor claimed the criticality of the bug is reduced as it requires a user to interact with the product’s administrator role. A vulnerability in Veeam ONE allows a user with the Veeam ONE Power User role to obtain the access token of a user with the Veeam ONE Administrator role through the use of XSS.
The second medium-severity bug tracked as CVE-2023-41723, which has a CVSS score of 4.3, and also affects Veeam ONE 11, 11a, and 12. A vulnerability in Veeam ONE allows a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule. The criticality is reduced because the user with a read-only role is only able to view the schedule and not make changes