PT-2019-13594 · Veeam · Veeam One Reporter

Published

2019-07-27

Updated

2019-07-29

CVE-2019-14297

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Veeam ONE Reporter version 9.5.0.3201

Description The issue allows for cross-site scripting (XSS) attacks via the Add/Edit Widget with a crafted Caption field to setDashboardWidget in "CommonDataHandlerReadOnly.ashx" API endpoint. This can potentially lead to malicious script execution.

Recommendations For version 9.5.0.3201, avoid using the Caption field in the Add/Edit Widget until a fix is available. As a temporary workaround, consider restricting access to the setDashboardWidget function in CommonDataHandlerReadOnly.ashx to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-14297

Affected Products

Veeam One Reporter

PT-2019-13594 · Veeam · Veeam One Reporter

CVE-2019-14297

Weakness Enumeration

Related Identifiers

Affected Products

References · 3