CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-7211 – The Duende Identity Server based component in 1E Platform may allow URL redirections to untrusted websites.
https://notcve.org/view.php?id=CVE-2024-7211
01 Aug 2024 — The Identity Server used by 1E Platform could enable URL redirection to untrusted sites. Note: The Identity Server on 1E Platform has been updated with the necessary patch. The 1E Platform's component utilized the third-party Duende Identity Server, which suffered from an open redirect vulnerability, permitting an attacker to control the redirection path of end users. Note: 1E Platform's component utilizing the third-party Duende Identity Server has been updated with the patch that includes the fix. • https://www.1e.com/trust-security-compliance/cve-info • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-5964 – 1E-Exchange-DisplayMessage instruction allows for arbitrary code execution
https://notcve.org/view.php?id=CVE-2023-5964
06 Nov 2023 — The 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients. To remediate this issue DELETE the instruction “Show dialogue with caption %Caption% and message %Message%” from the list of instructions in the Settings UI, and replace it w... • https://exchange.1e.com/product-packs/end-user-interaction • CWE-20: Improper Input Validation •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45163 – 1E-Exchange-CommandLinePing instruction before v18.1 allows for arbitrary code execution
https://notcve.org/view.php?id=CVE-2023-45163
06 Nov 2023 — The 1E-Exchange-CommandLinePing instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the input parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients. To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-CommandLinePing instruction to v18.1 by uploading it through the 1E Platform instruct... • https://https://exchange.1e.com/product-packs/network • CWE-20: Improper Input Validation •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45161 – 1E-Exchange-URLResponseTime instruction before v20.1 allows arbitrary code execution
https://notcve.org/view.php?id=CVE-2023-45161
06 Nov 2023 — The 1E-Exchange-URLResponseTime instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the URL parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients. To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-URLResponseTime instruction to v20.1 by uploading it through the 1E Platform instructio... • https://exchange.1e.com/product-packs/network • CWE-20: Improper Input Validation •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-45162 – Blind SQL vulnerability in 1E platform
https://notcve.org/view.php?id=CVE-2023-45162
13 Oct 2023 — Affected 1E Platform versions have a Blind SQL Injection vulnerability that can lead to arbitrary code execution. Application of the relevant hotfix remediates this issue. for v8.1.2 apply hotfix Q23166 for v8.4.1 apply hotfix Q23164 for v9.0.1 apply hotfix Q23169 SaaS implementations on v23.7.1 will automatically have hotfix Q23173 applied. Customers with SaaS versions below this are urged to upgrade urgently - please contact 1E to arrange this Las versiones afectadas de 1E Platform tienen una vulnerabilid... • https://www.1e.com/trust-security-compliance/cve-info • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •