CVE-2019-14297

Name of the Vulnerable Software and Affected Versions Veeam ONE Reporter version 9.5.0.3201

Description The issue allows for cross-site scripting (XSS) attacks via the Add/Edit Widget with a crafted Caption field to setDashboardWidget in "CommonDataHandlerReadOnly.ashx" API endpoint. This can potentially lead to malicious script execution.

Recommendations For version 9.5.0.3201, avoid using the Caption field in the Add/Edit Widget until a fix is available. As a temporary workaround, consider restricting access to the setDashboardWidget function in CommonDataHandlerReadOnly.ashx to minimize the risk of exploitation.