Security News > 2023 > November > Veeam warns of critical bugs in Veeam ONE monitoring platform

Veeam warns of critical bugs in Veeam ONE monitoring platform
2023-11-06 21:58

Veeam released hotfixes today to address four vulnerabilities in the company's Veeam ONE IT infrastructure monitoring and analytics platform, two of them critical.

"A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database. This may lead to remote code execution on the SQL server hosting the Veeam ONE configuration database," an advisory published today says about the bug tracked as CVE-2023-38547.

"A vulnerability in Veeam ONE allows an unprivileged user who has access to the Veeam ONE Web Client the ability to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service," the company says when describing the second critical vulnerability patched today.

Veeam also fixed a security flaw tracked as CVE-2023-38549 that could let attackers with Power User roles steal the access token of an admin in a Cross-Site Scripting attack, which requires user interaction from someone with the Veeam ONE Administrator role.

Admins must stop the Veeam ONE monitoring and reporting services on impacted servers, replace the files on the disk with the files in the hotfix, and restart the services to deploy the hotfixes.

In March, Veeam also fixed a high-severity Backup Service vulnerability in the Backup & Replication software that can be used to breach backup infrastructure hosts.


News URL

https://www.bleepingcomputer.com/news/security/veeam-warns-of-critical-bugs-in-veeam-one-monitoring-platform/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-11-07 CVE-2023-38549 Cross-site Scripting vulnerability in Veeam ONE
A vulnerability in Veeam ONE allows an unprivileged user who has access to the Veeam ONE Web Client the ability to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service.
network
low complexity
veeam CWE-79
5.4
2023-11-07 CVE-2023-38547 Unspecified vulnerability in Veeam ONE
A vulnerability in Veeam ONE allows an unauthenticated user to gain information about the SQL server connection Veeam ONE uses to access its configuration database.
network
low complexity
veeam
critical
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Veeam 11 0 8 9 7 24