CVSS: 9.8EPSS: 96%CPEs: 1EXPL: 3CVE-2024-40711 – Veeam Backup and Replication Deserialization Vulnerability
https://notcve.org/view.php?id=CVE-2024-40711
A deserialization of untrusted data vulnerability with a malicious payload can allow an unauthenticated remote code execution (RCE). Veeam Backup and Replication contains a deserialization vulnerability allowing an unauthenticated user to perform remote code execution. • https://github.com/watchtowrlabs/CVE-2024-40711?tab=readme-ov-file https://github.com/watchtowrlabs/CVE-2024-40711 https://github.com/realstatus/CVE-2024-40711-Exp https://www.veeam.com/kb4649 • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39715
https://notcve.org/view.php?id=CVE-2024-39715
A code injection vulnerability that allows a low-privileged user with REST API access granted to remotely upload arbitrary files to the VSPC server using REST API, leading to remote code execution on VSPC server. • https://www.veeam.com/kb4649 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40712
https://notcve.org/view.php?id=CVE-2024-40712
A path traversal vulnerability allows an attacker with a low-privileged account and local access to the system to perform local privilege escalation (LPE). • https://www.veeam.com/kb4649 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38651
https://notcve.org/view.php?id=CVE-2024-38651
A code injection vulnerability can allow a low-privileged user to overwrite files on that VSPC server, which can lead to remote code execution on VSPC server. • https://www.veeam.com/kb4649 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42020
https://notcve.org/view.php?id=CVE-2024-42020
A Cross-site-scripting (XSS) vulnerability exists in the Reporter Widgets that allows HTML injection. • https://www.veeam.com/kb4649 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •