Veeam has actually cautioned versus a vulnerability that might offer an assaulter remote code execution (RCE) on the SQL server of its Veeam ONE tracking platform.
Veeam ONE 11, 11a and 12 is likewise utilized in variations 5 and 6 of the business’s catastrophe healing orchestrator, and variation 4 of its schedule orchestrator.
According to the business’s advisory, CVE-2023-38547 (CVSS rating of 9.9) “enables an unauthenticated user to acquire info about the SQL server connection Veeam ONE utilizes to access its setup database.”
An enemy who acquires that info might get RCE on the server hosting the setup database.
A 2nd important vulnerability, CVE-2023-38548 (CVSS rating 9.8), lets an unprivileged user with access to the Veeam ONE Web customer acquire the Microsoft “NTLM hash of the account utilized by the Veeam ONE Reporting Service.”
There are likewise 2 lower-rated vulnerabilities the business covered previously today.
CVE-2023-38549 (CVSS rating 4.5) brings a lower-rating due to the fact that it’s just exploitable by an assaulter with a Veeam ONE Power User function. The aggressor might utilize a cross-site scripting (XSS) attack to get the gain access to token of an administrator.
In CVE-2023-41723 (CVSS rating 4.3), somebody with read-only benefits might see the software application’s control panel schedule.
The business kept in mind that vulnerability screening was just carried out versus presently supported variations of its software application.
The spots are supplied as hotfix files that require the Veeam ONE tracking and reporting services to be stopped and rebooted.