CVE-2023-41723
CVE-2023-41723
In short
A user with read-only access to Veeam ONE can view the Dashboard Schedule, which should be restricted. While they cannot make changes, this information disclosure allows unauthorized viewing of sensitive scheduling information.
Technical detail
CWE-922 (Improper Restriction of Communication Channel to Intended Endpoints) allows a read-only user to access the Dashboard Schedule endpoint without proper authorization controls. The attack requires valid read-only credentials; impact is limited to information disclosure since modification capabilities are absent.
Summary generated and translated by AI from the official description.
A vulnerability in Veeam ONE allows a user with the Veeam ONE Read-Only User role to view the Dashboard Schedule. Note: The criticality of this vulnerability is reduced because the user with the Read-Only role is only able to view the schedule and cannot make changes.
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected products
Veeam · OneWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://www.veeam.com/kb4508