CVE-2020-15419

Name of the Vulnerable Software and Affected Versions Veeam ONE version 10.0.0.750 20200415

Description This issue allows remote attackers to disclose sensitive information on affected installations without requiring authentication. The flaw exists within the Reporter ImportLicense class due to the improper restriction of XML External Entity (XXE) references. By specifying a specially crafted URI in a document, an attacker can cause the XML parser to access the URI and embed its contents back into the XML document. This can be leveraged to disclose file contents in the context of SYSTEM.

Recommendations For Veeam ONE version 10.0.0.750 20200415, consider restricting access to the Reporter ImportLicense class until a patch is available. As a temporary workaround, disabling the XML External Entity (XXE) processing in the Reporter ImportLicense class may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.