PT-2019-13595 · Veeam · Veeam One Reporter

Published

2019-07-27

Updated

2019-07-29

CVE-2019-14298

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Veeam ONE Reporter version 9.5.0.3201

Description The issue allows for cross-site scripting (XSS) attacks via a crafted Description field in the config to addDashboard or editDashboard in CommonDataHandlerReadOnly.ashx. This can potentially lead to the execution of malicious scripts.

Recommendations For Veeam ONE Reporter version 9.5.0.3201, consider restricting access to the CommonDataHandlerReadOnly.ashx endpoint until a patch is available. As a temporary workaround, avoid using the Description field in the config for addDashboard or editDashboard operations to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2019-14298

Affected Products

Veeam One Reporter

PT-2019-13595 · Veeam · Veeam One Reporter

CVE-2019-14298

Weakness Enumeration

Related Identifiers

Affected Products

References · 3