Veeam Explorer for Microsoft Exchange Javascript Execution Vulnerability

Challenge

The vulnerability allows execution of arbitrary code in emails containing inline Javascript.

NOTE: This has been corrected in Veeam Backup for MIcrosoft Office 365 version 3 and Veeam Backup & Replication version U4a.
 

Cause

The affected component is Veeam Explorer for Microsoft Exchange message preview browser. Email content is rendered using HTML browser and if an email contains inline Javascript, the embedded script may be executed.
 

Solution

1)    Download the hotfix ZIP package;
2)    Navigate to the corresponding folder according to the product you want to apply the hotfix to;
3)    On each machine where Veeam Explorer for Exchange is installed, navigate to C:\Program Files\Veeam\Backup and Replication\ExchangeExplorer and make a backup of the following files by copying them to another folder:

• BlockedFileTypes.xml
• Veeam.Exchange.Explorer.exe

4)    Copy the following files from the hotfix package to C:\Program Files\Veeam\Backup and Replication\ExchangeExplorer:

• BlockedFileTypes.xml
• Veeam.Exchange.Explorer.exe
• HtmlAgilityPack.dll

More Information

[[DOWNLOAD|DOWNLOAD HOTFIX|https://www.veeam.com/download_add_packs/backup-microsoft-office-365/kb2847/]]

MD5 checksum for kb2847.zip is 3e8db48b1c9dbc1034f0dbd75c3aadfd

Should you have any questions, contact Veeam Support.