CVSS: 4.7EPSS: 0%CPEs: 4EXPL: 0CVE-2024-7211 – The Duende Identity Server based component in 1E Platform may allow URL redirections to untrusted websites.
https://notcve.org/view.php?id=CVE-2024-7211
The Identity Server used by 1E Platform could enable URL redirection to untrusted sites. Note: The Identity Server on 1E Platform has been updated with the necessary patch. The 1E Platform's component utilized the third-party Duende Identity Server, which suffered from an open redirect vulnerability, permitting an attacker to control the redirection path of end users. Note: 1E Platform's component utilizing the third-party Duende Identity Server has been updated with the patch that includes the fix. • https://www.1e.com/trust-security-compliance/cve-info •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5964 – 1E-Exchange-DisplayMessage instruction allows for arbitrary code execution
https://notcve.org/view.php?id=CVE-2023-5964
The 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients. To remediate this issue DELETE the instruction “Show dialogue with caption %Caption% and message %Message%” from the list of instructions in the Settings UI, and replace it with the new instruction 1E-Exchange-ShowNotification instruction available in the updated End-User Interaction product pack. The new instruction should show as “Show %Type% type notification with header %Header% and message %Message%” with a version of 7.1 or above. La instrucción 1E-Exchange-DisplayMessage que forma parte del paquete de productos End-User Interaction disponible en 1E Exchange no valida correctamente los parámetros Caption o Message, lo que permite una entrada especialmente manipulada para realizar la ejecución de código arbitrario con permisos del SYSTEM. Para solucionar este problema, ELIMINAR la instrucción "Mostrar diálogo con el título %Caption% y el mensaje %Message%" de la lista de instrucciones en la Interfaz de Usuario de Configuración y reemplazarla con la nueva instrucción 1E-Exchange-ShowNotification disponible en la versión final actualizada. • https://exchange.1e.com/product-packs/end-user-interaction https://www.1e.com/trust-security-compliance/cve-info • CWE-20: Improper Input Validation •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45163 – 1E-Exchange-CommandLinePing instruction before v18.1 allows for arbitrary code execution
https://notcve.org/view.php?id=CVE-2023-45163
The 1E-Exchange-CommandLinePing instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the input parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients. To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-CommandLinePing instruction to v18.1 by uploading it through the 1E Platform instruction upload UI La instrucción 1E-Exchange-CommandLinePing que forma parte del paquete de productos Network disponible en 1E Exchange no valida correctamente el parámetro de entrada, lo que permite una entrada especialmente manipulada para realizar la ejecución de código arbitrario con permisos del SYSTEM. Para solucionar este problema, descargue el paquete de producto de red actualizado desde 1E Exchange y actualice la instrucción 1E-Exchange-CommandLinePing a v18.1 cargándola a través de la interfaz de usuario de carga de instrucciones de 1E Platform. • https://https://exchange.1e.com/product-packs/network https://www.1e.com/trust-security-compliance/cve-info • CWE-20: Improper Input Validation •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45161 – 1E-Exchange-URLResponseTime instruction before v20.1 allows arbitrary code execution
https://notcve.org/view.php?id=CVE-2023-45161
The 1E-Exchange-URLResponseTime instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the URL parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients. To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-URLResponseTime instruction to v20.1 by uploading it through the 1E Platform instruction upload UI La instrucción 1E-Exchange-URLResponseTime que forma parte del paquete de productos Network disponible en 1E Exchange no valida correctamente el parámetro URL, lo que permite una entrada especialmente manipulada para realizar la ejecución de código arbitrario con permisos del SYSTEM. Para solucionar este problema, descargue el paquete de producto de red actualizado desde 1E Exchange y actualice la instrucción 1E-Exchange-URLResponseTime a v20.1 cargándola a través de la interfaz de usuario de carga de instrucciones de 1E Platform. • https://exchange.1e.com/product-packs/network https://www.1e.com/trust-security-compliance/cve-info • CWE-20: Improper Input Validation •
CVSS: 9.9EPSS: 0%CPEs: 4EXPL: 0CVE-2023-45162 – Blind SQL vulnerability in 1E platform
https://notcve.org/view.php?id=CVE-2023-45162
Affected 1E Platform versions have a Blind SQL Injection vulnerability that can lead to arbitrary code execution. Application of the relevant hotfix remediates this issue. for v8.1.2 apply hotfix Q23166 for v8.4.1 apply hotfix Q23164 for v9.0.1 apply hotfix Q23169 SaaS implementations on v23.7.1 will automatically have hotfix Q23173 applied. Customers with SaaS versions below this are urged to upgrade urgently - please contact 1E to arrange this Las versiones afectadas de 1E Platform tienen una vulnerabilidad de inyección Blind SQL que puede provocar la ejecución de código arbitrario. La aplicación del hotfix correspondiente soluciona este problema. para v8.1.2 aplique hotfix Q23166 para v8.4.1 aplique hotfix Q23164 para v9.0.1 aplique hotfix Q23169 Las implementaciones de SaaS en v23.7.1 tendrán automáticamente aplicado el hotfix Q23173. Se insta a los clientes con versiones de SaaS inferiores a esta a actualizar urgentemente; comuníquese con 1E para organizar esto. • https://www.1e.com/trust-security-compliance/cve-info • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •