Authentication Bypass in Veeam ONE Web Client by Veeam
CVE-2023-38549

4.5MEDIUM

Key Information:

Vendor: Veeam
Status: One
Vendor: CVE Published:; 7 November 2023

Summary

A security vulnerability in Veeam ONE Web Client allows an unprivileged user to retrieve the NTLM hash from the account used by the Veeam ONE Reporting Service. Although the risk is mitigated by the requirement for a user with the Veeam ONE Administrator role to initiate the action, it still poses a significant security concern. This vulnerability highlights the need for robust user access controls and auditing mechanisms within Veeam ONE implementations.

Affected Version(s)

One 11

One 11a

One 12

References

https://www.veeam.com/kb4508

CVSS V3.1

Score:

4.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 7, 2023
Vulnerability Reserved
Jul 20, 2023