CVE-2023-38549: XSS
First published: Tue Nov 07 2023(Updated: )
A vulnerability in Veeam ONE allows an unprivileged user who has access to the Veeam ONE Web Client the ability to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service. Note: The criticality of this vulnerability is reduced as it requires interaction by a user with the Veeam ONE Administrator role.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Veeam ONE | =11.0.0.1379 | |
| Veeam ONE | =11.0.1.1880 | |
| Veeam ONE | =12.0.0.2498 | |
| Veeam ONE | =12.0.1.2591 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-38549?
CVE-2023-38549 is a vulnerability in Veeam ONE that allows an unprivileged user to acquire the NTLM hash of the account used by the Veeam ONE Reporting Service.
How does CVE-2023-38549 affect Veeam ONE?
CVE-2023-38549 affects Veeam ONE versions 11.0.0.1379, 11.0.1.1880, 12.0.0.2498, and 12.0.1.2591.
What is the severity of CVE-2023-38549?
CVE-2023-38549 has a severity score of 5.4 (medium).
How can I fix CVE-2023-38549?
To fix CVE-2023-38549, update Veeam ONE to the latest version available and follow the recommendations provided in the Veeam KB4508 article (link provided).
What is CWE-79?
CWE-79 is a Common Weakness Enumeration category for Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').
- collector/nvd-api
- agent/weakness
- agent/references
- agent/type
- agent/event
- agent/severity
- agent/author
- agent/description
- agent/remedy
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/veeam
- canonical/veeam one
- version/veeam one/11.0.0.1379
- version/veeam one/11.0.1.1880
- version/veeam one/12.0.0.2498
- version/veeam one/12.0.1.2591