Veeam Explorer for Microsoft Exchange Javascript Execution Vulnerability

KB ID: 2847
Product: Veeam Backup & Replication;Veeam Backup for Microsoft Office 365
Version: 9.5.0.1922, 1.5.1309, 2.0.x
Published:
Last Modified: 2019-04-23

Challenge

The vulnerability allows execution of arbitrary code in emails containing inline Javascript.

NOTE: This has been corrected in Veeam Backup for MIcrosoft Office 365 version 3 and Veeam Backup & Replication version U4a.
 

Cause

The affected component is Veeam Explorer for Microsoft Exchange message preview browser. Email content is rendered using HTML browser and if an email contains inline Javascript, the embedded script may be executed.
 

Solution

1)    Download the hotfix ZIP package;
2)    Navigate to the corresponding folder according to the product you want to apply the hotfix to;
3)    On each machine where Veeam Explorer for Exchange is installed, navigate to C:\Program Files\Veeam\Backup and Replication\ExchangeExplorer and make a backup of the following files by copying them to another folder:

  • BlockedFileTypes.xml
  • Veeam.Exchange.Explorer.exe
4)    Copy the following files from the hotfix package to C:\Program Files\Veeam\Backup and Replication\ExchangeExplorer:
  • BlockedFileTypes.xml
  • Veeam.Exchange.Explorer.exe
  • HtmlAgilityPack.dll

More Information

[[DOWNLOAD|DOWNLOAD HOTFIX|https://www.veeam.com/download_add_packs/backup-microsoft-office-365/kb2847/]]

MD5 checksum for kb2847.zip is 3e8db48b1c9dbc1034f0dbd75c3aadfd

Should you have any questions, contact Veeam Support.

Please be aware that we’re making changes which will restrict access to product updates for users without an active contract.

OK

Rate the quality of this KB article: 
3.9 out of 5 based on 5 ratings

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.

Request new content

Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Spelling error in text:

Submit