Veeam Explorer for Microsoft Exchange Javascript Execution Vulnerability

Challenge

The vulnerability allows execution of arbitrary code in emails containing inline Javascript.
 

Cause

The affected component is Veeam Explorer for Microsoft Exchange message preview browser. Email content is rendered using HTML browser and if an email contains inline Javascript, the embedded script may be executed.
 

Solution

1) On each machine where Veeam Explorer for Exchange is installed, navigate to C:\Program Files\Veeam\Backup and Replication\ExchangeExplorer and make a backup of the following files by copying them to another folder:

• BlockedFileTypes.xml
• Veeam.Exchange.Explorer.exe

2) Copy the following files from the hotfix package to C:\Program Files\Veeam\Backup and Replication\ExchangeExplorer:

• BlockedFileTypes.xml
• Veeam.Exchange.Explorer.exe
• HtmlAgilityPack.dll

More Information

[[DOWNLOAD|DOWNLOAD PRIVATE FIX|https://storage.veeam.com/Fix_153325_7bd041331f.zip]]

MD5 checksum for Fix_153325_7bd041331f.zip is 8a93566d6c66dbaa08c5649b525d4d4e

Should have any questions, contact Veeam Support.

NOTE: A hotfix for the vulnerability is available for the following products and versions: Veeam Backup and Replication 9.5 Update3a (9.5.0.1922) and Veeam Backup for Office 365 1.5