CVE-2023-38549: 
Veeam ONE vulnerability analysis and mitigation

A vulnerability in Veeam ONE (CVE-2023-38549) allows an unprivileged user with access to the Veeam ONE Web Client to obtain the access token of a user with the Veeam ONE Administrator role through Cross-Site Scripting (XSS). The vulnerability was discovered in 2023 and affects Veeam ONE versions 11, 11a, and 12 (Veeam KB, NVD).

The vulnerability is classified as a Cross-Site Scripting (XSS) issue (CWE-79) with a CVSS v3.1 base score of 4.5 MEDIUM (Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N). The vulnerability specifically allows a user with Veeam ONE Power User role to execute XSS attacks to obtain administrator access tokens (NVD, Lansweeper).

The vulnerability enables an attacker with Power User role to potentially gain unauthorized access to administrative functions by obtaining the access token of a user with Veeam ONE Administrator role. However, the criticality is reduced as it requires interaction by a user with the Veeam ONE Administrator role (Hacker News, Veeam KB).

Veeam has released hotfixes for affected versions: Veeam ONE 12 P20230314 (12.0.1.2591), Veeam ONE 11a (11.0.1.1880), and Veeam ONE 11 (11.0.0.1379). Users are advised to apply these hotfixes to address the vulnerability. The deployment requires stopping Veeam ONE monitoring and reporting services, replacing the affected files, and restarting the services (Veeam KB).