CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38650
https://notcve.org/view.php?id=CVE-2024-38650
An authentication bypass vulnerability can allow a low privileged attacker to access the NTLM hash of service account on the VSPC server. • https://www.veeam.com/kb4649 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39715
https://notcve.org/view.php?id=CVE-2024-39715
A code injection vulnerability that allows a low-privileged user with REST API access granted to remotely upload arbitrary files to the VSPC server using REST API, leading to remote code execution on VSPC server. • https://www.veeam.com/kb4649 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38651
https://notcve.org/view.php?id=CVE-2024-38651
A code injection vulnerability can allow a low-privileged user to overwrite files on that VSPC server, which can lead to remote code execution on VSPC server. • https://www.veeam.com/kb4649 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39714
https://notcve.org/view.php?id=CVE-2024-39714
A code injection vulnerability that permits a low-privileged user to upload arbitrary files to the server, leading to remote code execution on VSPC server. • https://www.veeam.com/kb4649 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 2%CPEs: 6EXPL: 3CVE-2023-27532 – Veeam Backup & Replication Cloud Connect Missing Authentication for Critical Function Vulnerability
https://notcve.org/view.php?id=CVE-2023-27532
Vulnerability in Veeam Backup & Replication component allows encrypted credentials stored in the configuration database to be obtained. This may lead to gaining access to the backup infrastructure hosts. Veeam Backup & Replication Cloud Connect component contains a missing authentication for critical function vulnerability that allows an unauthenticated user operating within the backup infrastructure network perimeter to obtain encrypted credentials stored in the configuration database. This may lead to an attacker gaining access to the backup infrastructure hosts. • https://github.com/sfewer-r7/CVE-2023-27532 https://github.com/horizon3ai/CVE-2023-27532 https://github.com/puckiestyle/CVE-2023-27532-RCE-Only https://www.veeam.com/kb4424 • CWE-306: Missing Authentication for Critical Function •