- 283/2023
- Critical
Veeam has released a security update to fix several vulnerabilities in Veeam ONE IT infrastructure monitoring and analytics platform versions 11, 11a, and 12.
The addressed vulnerabilities could allow the attacker to obtain sensitive information, perform cross-site scripting attacks, execute arbitrary code, and gain access to the affected system.
Sample of the addressed vulnerabilities:
1. Veeam ONE Code Execution Vulnerability (CVE-2023-38547):
- CVSS: 9.9
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Veeam ONE Information Disclosure Vulnerability (CVE-2023-38548):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Obtain Information
Vulnerabilities
- CVE-2023-38547
- CVE-2023-38548
- CVE-2023-38549
- CVE-2023-41723
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.