All the vulnerabilites related to 1E - 1E Platform
cve-2024-7211
Vulnerability from cvelistv5
Published
2024-08-01 16:49
Modified
2024-08-02 12:56
Severity ?
EPSS score ?
Summary
The 1E Platform's component utilized the third-party Duende Identity Server, which suffered from an open redirect vulnerability, permitting an attacker to control the redirection path of end users.
Note: 1E Platform's component utilizing the third-party Duende Identity Server has been updated with the patch that includes the fix.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | 1E | 1E Platform |
Version: 24.7 Version: 23.11.1.15 Version: 23.7.1.80 Version: 8.4.1.229 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7211",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T17:33:30.440960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T17:33:36.133Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "1E Platform",
"vendor": "1E",
"versions": [
{
"status": "affected",
"version": "24.7"
},
{
"status": "affected",
"version": "23.11.1.15"
},
{
"status": "affected",
"version": "23.7.1.80"
},
{
"status": "affected",
"version": "8.4.1.229"
}
]
}
],
"datePublic": "2024-08-01T14:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ctt\u003e\u003ctt\u003eThe 1E Platform\u0027s component utilized the third-party Duende Identity Server, which suffered from an open redirect vulnerability, permitting an attacker to control the redirection path of end users.\u003cbr\u003e\u003cbr\u003eNote: 1E Platform\u0027s component utilizing the third-party Duende Identity Server has been updated with the patch that includes the fix.\u003cbr\u003e\u003cbr\u003e\u003c/tt\u003e\u003c/tt\u003e"
}
],
"value": "The 1E Platform\u0027s component utilized the third-party Duende Identity Server, which suffered from an open redirect vulnerability, permitting an attacker to control the redirection path of end users.\n\nNote: 1E Platform\u0027s component utilizing the third-party Duende Identity Server has been updated with the patch that includes the fix."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T12:56:59.320Z",
"orgId": "4a68d2b9-b68a-4765-95bd-17f35092666b",
"shortName": "1E"
},
"references": [
{
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
}
],
"source": {
"advisory": "CVE-2024-39694",
"discovery": "EXTERNAL"
},
"title": "The Duende Identity Server based component in 1E Platform may allow URL redirections to untrusted websites.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4a68d2b9-b68a-4765-95bd-17f35092666b",
"assignerShortName": "1E",
"cveId": "CVE-2024-7211",
"datePublished": "2024-08-01T16:49:47.597Z",
"dateReserved": "2024-07-29T16:05:07.068Z",
"dateUpdated": "2024-08-02T12:56:59.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-45162
Vulnerability from cvelistv5
Published
2023-10-13 12:48
Modified
2024-09-17 20:25
Severity ?
EPSS score ?
Summary
Affected 1E Platform versions have a Blind SQL Injection vulnerability that can lead to arbitrary code execution.
Application of the relevant hotfix remediates this issue.
for v8.1.2 apply hotfix Q23166
for v8.4.1 apply hotfix Q23164
for v9.0.1 apply hotfix Q23169
SaaS implementations on v23.7.1 will automatically have hotfix Q23173 applied. Customers with SaaS versions below this are urged to upgrade urgently - please contact 1E to arrange this
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | 1E | 1E Platform |
Version: 0 Version: 0 Version: 0 Version: 0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.735Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-17T20:24:59.274547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T20:25:10.039Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "1E Platform",
"vendor": "1E",
"versions": [
{
"changes": [
{
"at": "Q23166",
"status": "unaffected"
}
],
"lessThan": "8.1.2",
"status": "affected",
"version": "0",
"versionType": "Q23166"
},
{
"changes": [
{
"at": "Q23164",
"status": "unaffected"
}
],
"lessThan": "8.4.1",
"status": "affected",
"version": "0",
"versionType": "Q23164"
},
{
"changes": [
{
"at": "Q23169",
"status": "unaffected"
}
],
"lessThan": "9.0.1",
"status": "affected",
"version": "0",
"versionType": "Q23169"
},
{
"changes": [
{
"at": "Q23173",
"status": "unaffected"
}
],
"lessThan": "23.7.1",
"status": "affected",
"version": "0",
"versionType": "Q23173"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Discovered by 1E penetration testing"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Affected 1E Platform versions have a Blind SQL Injection vulnerability that can lead to arbitrary code execution.\u0026nbsp;\u003cbr\u003e\u003cbr\u003eApplication of the relevant hotfix remediates this issue.\u003cbr\u003e\u003cbr\u003efor v8.1.2 apply hotfix Q23166\u003cbr\u003efor v8.4.1 apply hotfix Q23164\u003cbr\u003efor v9.0.1 apply hotfix Q23169\u003cbr\u003e\u003cbr\u003eSaaS implementations on v23.7.1 will automatically have hotfix Q23173 applied. Customers with SaaS versions below this are urged to upgrade urgently - please contact 1E to arrange this"
}
],
"value": "Affected 1E Platform versions have a Blind SQL Injection vulnerability that can lead to arbitrary code execution.\u00a0\n\nApplication of the relevant hotfix remediates this issue.\n\nfor v8.1.2 apply hotfix Q23166\nfor v8.4.1 apply hotfix Q23164\nfor v9.0.1 apply hotfix Q23169\n\nSaaS implementations on v23.7.1 will automatically have hotfix Q23173 applied. Customers with SaaS versions below this are urged to upgrade urgently - please contact 1E to arrange this"
}
],
"impacts": [
{
"capecId": "CAPEC-108",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-108 Command Line Execution through SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-19T08:36:45.745Z",
"orgId": "4a68d2b9-b68a-4765-95bd-17f35092666b",
"shortName": "1E"
},
"references": [
{
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Blind SQL vulnerability in 1E platform",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4a68d2b9-b68a-4765-95bd-17f35092666b",
"assignerShortName": "1E",
"cveId": "CVE-2023-45162",
"datePublished": "2023-10-13T12:48:01.359Z",
"dateReserved": "2023-10-04T23:59:54.079Z",
"dateUpdated": "2024-09-17T20:25:10.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}