Information resiliency specialist Veeam has launched hotfixes to resolve 4 newly found vulnerabilities in its flagship IT monitoring and analytics software, two of that are rated essential.
In a safety replace yesterday, the agency revealed CVE-2023-38547, a CVSS 9.9-rated flaw in Veeam ONE 11, 11a and 12.
“A vulnerability in Veeam ONE permits an unauthenticated consumer to realize details about the SQL server connection Veeam ONE makes use of to entry its configuration database. This may occasionally result in distant code execution on the SQL server internet hosting the Veeam ONE configuration database,” it defined.
The second essential bug (CVE-2023-38548) impacts Veeam ONE model 12 and has a CVSS rating of 9.8.
“A vulnerability in Veeam ONE permits an unprivileged consumer who has entry to the Veeam ONE Net Shopper the flexibility to amass the NTLM hash of the account utilized by the Veeam ONE Reporting Service,” Veeam mentioned.
Learn extra on Veeam bugs: A number of RCE Vulnerabilities Found in Veeam Backup & Replication App
The remaining two vulnerabilities are rated “medium” severity. The primary, CVE-2023-38549, has a CVSS rating of 4.5 and impacts Veeam ONE 11, 11a and 12. The seller claimed the criticality of the bug is diminished because it requires a consumer to work together with the product’s administrator position.
“A vulnerability in Veeam ONE permits a consumer with the Veeam ONE Energy Consumer position to acquire the entry token of a consumer with the Veeam ONE Administrator position by means of using XSS,” it mentioned.
The second medium-severity bug is CVE-2023-41723, which has a CVSS rating of 4.3, and likewise impacts Veeam ONE 11, 11a and 12.
“A vulnerability in Veeam ONE permits a consumer with the Veeam ONE Learn-Solely Consumer position to view the Dashboard Schedule,” the seller defined. It added that, on this case, the criticality is diminished as a result of the consumer with a read-only position is barely in a position to view the schedule and never make adjustments.
