CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2070
https://notcve.org/view.php?id=CVE-2025-2070
25 Apr 2025 — An improper XML parsing vulnerability was reported in the FileZ client that could allow arbitrary file reads on the system if a crafted url is visited by a local user. • https://www.filez.com/securityPolicy/2.html?1744703100 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2069
https://notcve.org/view.php?id=CVE-2025-2069
25 Apr 2025 — A cross-site scripting vulnerability was reported in the FileZ client that could allow execution of code if a crafted url is visited by a local user. • https://www.filez.com/securityPolicy/2.html?1744703100 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2068
https://notcve.org/view.php?id=CVE-2025-2068
25 Apr 2025 — An open redirect vulnerability was reported in the FileZ client that could allow information disclosure if a crafted url is visited by a local user. • https://www.filez.com/securityPolicy/2.html?1744703100 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-45160 – Elevated Temp Directory Execution in 1E Client
https://notcve.org/view.php?id=CVE-2023-45160
05 Oct 2023 — In the affected version of the 1E Client, an ordinary user could subvert downloaded instruction resource files, e.g., to substitute a harmful script. by replacing a resource script file created by an instruction at run time with a malicious script. The 1E Client's temporary directory is now locked down in the released patch. Resolution: This has been fixed in patch Q23094 This issue has also been fixed in the Mac Client in updated versions of Non-Windows release v8.1.2.62 - please re-download from the 1E Su... • https://1e.my.site.com/s • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 8.4EPSS: 0%CPEs: 4EXPL: 0CVE-2023-45159 – 1E Client installer can perform arbitrary file deletion on protected files
https://notcve.org/view.php?id=CVE-2023-45159
05 Oct 2023 — 1E Client installer can perform arbitrary file deletion on protected files. A non-privileged user could provide a symbolic link or Windows junction to point to a protected directory in the installer that the 1E Client would then clear on service startup. A hotfix is available from the 1E support portal that forces the 1E Client to check for a symbolic link or junction and if it finds one refuses to use that path and instead creates a path involving a random GUID. for v8.1 use hotfix Q23097 for v8.4 use hotf... • https://www.1e.com/trust-security-compliance/cve-info • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.7EPSS: 0%CPEs: 4EXPL: 0CVE-2023-3892 – Unsafe XML parsing of 3rd party DICOM private tags may lead to XXE
https://notcve.org/view.php?id=CVE-2023-3892
19 Sep 2023 — Improper Restriction of XML External Entity Reference vulnerability in MIM Assistant and Client DICOM RTst Loading modules allows XML Entity Linking / XML External Entities Blowup. In order to take advantage of this vulnerability, an attacker must craft a malicious XML document, embed this document into specific 3rd party private RTst metadata tags, transfer the now compromised DICOM object to MIM, and force MIM to archive and load the data. Users on either version are strongly encouraged to update to an un... • https://www.mimsoftware.com/cve-2023-3892 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-27645
https://notcve.org/view.php?id=CVE-2020-27645
29 Dec 2020 — The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. This may allow remote authenticated users and local users to gain elevated privileges. El módulo Inventory del 1E Client versión 5.0.0.745, no maneja una ruta sin comillas cuando se ejecuta %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. Esto puede permitir a los usuarios locales y los usuarios autenticados remotos obtener privilegios elevado... • https://help.1e.com/display/GI/1E+Security+Advisory-1E+Client+for+Windows%3A+CVE-2020-16268%2C+CVE-2020-27643%2C+CVE-2020-27644%2C+CVE-2020-27645 • CWE-428: Unquoted Search Path or Element •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-27644
https://notcve.org/view.php?id=CVE-2020-27644
29 Dec 2020 — The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. This may allow remote authenticated users and local users to gain elevated privileges by placing a malicious cryptbase.dll file in %WINDIR%\Temp\. El módulo Inventory de 1E Client versión 5.0.0.745, no maneja una ruta sin comillas al ejecutar %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. Esto puede permitir a los usuarios locales y los usua... • https://help.1e.com/display/GI/1E+Security+Advisory-1E+Client+for+Windows%3A+CVE-2020-16268%2C+CVE-2020-27643%2C+CVE-2020-27644%2C+CVE-2020-27645 • CWE-428: Unquoted Search Path or Element •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-27643
https://notcve.org/view.php?id=CVE-2020-27643
29 Dec 2020 — The %PROGRAMDATA%\1E\Client directory in 1E Client 5.0.0.745 and 4.1.0.267 allows remote authenticated users and local users to create and modify files in protected directories (where they would not normally have access to create or modify files) via the creation of a junction point to a system directory. This leads to partial privilege escalation. El directorio %PROGRAMDATA%\1E\Client en 1E Client versiones 5.0.0.745 y 4.1.0.267, permite a los usuarios autenticados remotos y a los usuarios locales crear y ... • https://help.1e.com/display/GI/1E+Security+Advisory-1E+Client+for+Windows%3A+CVE-2020-16268%2C+CVE-2020-27643%2C+CVE-2020-27644%2C+CVE-2020-27645 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-16268
https://notcve.org/view.php?id=CVE-2020-16268
29 Dec 2020 — The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote authenticated users and local users to gain elevated privileges via the repair option. This applies to installations that have a TRANSFORM (MST) with the option to disable the installation of the Nomad module. An attacker may craft a .reg file in a specific location that will be able to write to any registry key as an elevated user. El instalador MSI en 1E Client versiones 4.1.0.267 y 5.0.0.745, permite a los usuarios autenticados remotos ... • https://help.1e.com/display/GI/1E+Security+Advisory-1E+Client+for+Windows%3A+CVE-2020-16268%2C+CVE-2020-27643%2C+CVE-2020-27644%2C+CVE-2020-27645 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-668: Exposure of Resource to Wrong Sphere •