All the vulnerabilites related to 1e - platform
cve-2023-45163
Vulnerability from cvelistv5
Published
2023-11-06 12:19
Modified
2024-09-05 13:51
Severity ?
EPSS score ?
Summary
The 1E-Exchange-CommandLinePing instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the input parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients.
To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-CommandLinePing instruction to v18.1 by uploading it through the 1E Platform instruction upload UI
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.022Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://https://exchange.1e.com/product-packs/network/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45163",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T13:47:21.798997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T13:51:18.601Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://exchange.1e.com/product-packs/network/",
"defaultStatus": "affected",
"packageName": "1E-Exchange-CommandLinePing",
"platforms": [
"Windows"
],
"product": "Platform",
"vendor": "1E",
"versions": [
{
"lessThan": "18.1",
"status": "affected",
"version": "0",
"versionType": "Update"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Lockheed Martin red team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe 1E-Exchange-CommandLinePing instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the input parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eTo remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-CommandLinePing instruction to v18.1 by uploading it through the 1E Platform instruction upload UI\u003c/span\u003e\n\n"
}
],
"value": "\nThe 1E-Exchange-CommandLinePing instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the input parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients.\n\nTo remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-CommandLinePing instruction to v18.1 by uploading it through the 1E Platform instruction upload UI\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-21T17:43:41.290Z",
"orgId": "4a68d2b9-b68a-4765-95bd-17f35092666b",
"shortName": "1E"
},
"references": [
{
"url": "https://https://exchange.1e.com/product-packs/network/"
},
{
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "1E-Exchange-CommandLinePing instruction before v18.1 allows for arbitrary code execution",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4a68d2b9-b68a-4765-95bd-17f35092666b",
"assignerShortName": "1E",
"cveId": "CVE-2023-45163",
"datePublished": "2023-11-06T12:19:20.662Z",
"dateReserved": "2023-10-04T23:59:54.079Z",
"dateUpdated": "2024-09-05T13:51:18.601Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-5964
Vulnerability from cvelistv5
Published
2023-11-06 12:27
Modified
2024-09-05 13:46
Severity ?
EPSS score ?
Summary
The 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients.
To remediate this issue DELETE the instruction “Show dialogue with caption %Caption% and message %Message%” from the list of instructions in the Settings UI, and replace it with the new instruction 1E-Exchange-ShowNotification instruction available in the updated End-User Interaction product pack. The new instruction should show as “Show %Type% type notification with header %Header% and message %Message%” with a version of 7.1 or above.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T08:14:25.152Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://exchange.1e.com/product-packs/end-user-interaction/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-5964",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T13:44:12.972782Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T13:46:41.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://exchange.1e.com/product-packs/end-user-interaction/",
"defaultStatus": "affected",
"packageName": "1E-Exchange-DisplayMessage",
"platforms": [
"Windows"
],
"product": "Platform",
"vendor": "1E",
"versions": [
{
"lessThanOrEqual": "23",
"status": "affected",
"version": "0",
"versionType": "Delete"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Lockheed Martin red team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\n\n\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eThe 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients.\u003c/span\u003e\u003cbr\u003e\u003cbr\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eTo remediate this issue DELETE the instruction\u0026nbsp;\u201cShow dialogue with caption %Caption% and message %Message%\u201d from the list of instructions in the Settings UI, and replace it with the new instruction\u0026nbsp;1E-Exchange-ShowNotification instruction available in the updated End-User Interaction product pack. The new instruction should show as\u0026nbsp;\u201cShow %Type% type notification with header %Header% and message %Message%\u201d with a version of 7.1 or above.\u003c/span\u003e"
}
],
"value": "\nThe 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients.\n\nTo remediate this issue DELETE the instruction\u00a0\u201cShow dialogue with caption %Caption% and message %Message%\u201d from the list of instructions in the Settings UI, and replace it with the new instruction\u00a01E-Exchange-ShowNotification instruction available in the updated End-User Interaction product pack. The new instruction should show as\u00a0\u201cShow %Type% type notification with header %Header% and message %Message%\u201d with a version of 7.1 or above."
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-21T17:44:24.651Z",
"orgId": "4a68d2b9-b68a-4765-95bd-17f35092666b",
"shortName": "1E"
},
"references": [
{
"url": "https://exchange.1e.com/product-packs/end-user-interaction/"
},
{
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "1E-Exchange-DisplayMessage instruction allows for arbitrary code execution",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4a68d2b9-b68a-4765-95bd-17f35092666b",
"assignerShortName": "1E",
"cveId": "CVE-2023-5964",
"datePublished": "2023-11-06T12:27:12.281Z",
"dateReserved": "2023-11-06T12:19:31.831Z",
"dateUpdated": "2024-09-05T13:46:41.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2024-7211
Vulnerability from cvelistv5
Published
2024-08-01 16:49
Modified
2024-08-02 12:56
Severity ?
EPSS score ?
Summary
The 1E Platform's component utilized the third-party Duende Identity Server, which suffered from an open redirect vulnerability, permitting an attacker to control the redirection path of end users.
Note: 1E Platform's component utilizing the third-party Duende Identity Server has been updated with the patch that includes the fix.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | 1E | 1E Platform |
Version: 24.7 Version: 23.11.1.15 Version: 23.7.1.80 Version: 8.4.1.229 |
|
|
|||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7211",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-01T17:33:30.440960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-01T17:33:36.133Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "1E Platform",
"vendor": "1E",
"versions": [
{
"status": "affected",
"version": "24.7"
},
{
"status": "affected",
"version": "23.11.1.15"
},
{
"status": "affected",
"version": "23.7.1.80"
},
{
"status": "affected",
"version": "8.4.1.229"
}
]
}
],
"datePublic": "2024-08-01T14:35:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003ctt\u003e\u003ctt\u003eThe 1E Platform\u0027s component utilized the third-party Duende Identity Server, which suffered from an open redirect vulnerability, permitting an attacker to control the redirection path of end users.\u003cbr\u003e\u003cbr\u003eNote: 1E Platform\u0027s component utilizing the third-party Duende Identity Server has been updated with the patch that includes the fix.\u003cbr\u003e\u003cbr\u003e\u003c/tt\u003e\u003c/tt\u003e"
}
],
"value": "The 1E Platform\u0027s component utilized the third-party Duende Identity Server, which suffered from an open redirect vulnerability, permitting an attacker to control the redirection path of end users.\n\nNote: 1E Platform\u0027s component utilizing the third-party Duende Identity Server has been updated with the patch that includes the fix."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-02T12:56:59.320Z",
"orgId": "4a68d2b9-b68a-4765-95bd-17f35092666b",
"shortName": "1E"
},
"references": [
{
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
}
],
"source": {
"advisory": "CVE-2024-39694",
"discovery": "EXTERNAL"
},
"title": "The Duende Identity Server based component in 1E Platform may allow URL redirections to untrusted websites.",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "4a68d2b9-b68a-4765-95bd-17f35092666b",
"assignerShortName": "1E",
"cveId": "CVE-2024-7211",
"datePublished": "2024-08-01T16:49:47.597Z",
"dateReserved": "2024-07-29T16:05:07.068Z",
"dateUpdated": "2024-08-02T12:56:59.320Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-45161
Vulnerability from cvelistv5
Published
2023-11-06 12:13
Modified
2024-09-05 13:52
Severity ?
EPSS score ?
Summary
The 1E-Exchange-URLResponseTime instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the URL parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients.
To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-URLResponseTime instruction to v20.1 by uploading it through the 1E Platform instruction upload UI
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.524Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://exchange.1e.com/product-packs/network/"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T13:51:52.700343Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T13:52:59.032Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://exchange.1e.com/product-packs/network/",
"defaultStatus": "affected",
"packageName": "1E-Exchange-URLResponseTime",
"platforms": [
"Windows"
],
"product": "Platform",
"vendor": "1E",
"versions": [
{
"lessThan": "20.1",
"status": "affected",
"version": "0",
"versionType": "Update"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Lockheed Martin red team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The 1E-Exchange-URLResponseTime instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the URL parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients.\u003cbr\u003e\u003cbr\u003eTo remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-URLResponseTime instruction to v20.1 by uploading it through the 1E Platform instruction upload UI"
}
],
"value": "The 1E-Exchange-URLResponseTime instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the URL parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients.\n\nTo remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-URLResponseTime instruction to v20.1 by uploading it through the 1E Platform instruction upload UI"
}
],
"impacts": [
{
"capecId": "CAPEC-248",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-248 Command Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-21T17:44:06.508Z",
"orgId": "4a68d2b9-b68a-4765-95bd-17f35092666b",
"shortName": "1E"
},
"references": [
{
"url": "https://exchange.1e.com/product-packs/network/"
},
{
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "1E-Exchange-URLResponseTime instruction before v20.1 allows arbitrary code execution",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4a68d2b9-b68a-4765-95bd-17f35092666b",
"assignerShortName": "1E",
"cveId": "CVE-2023-45161",
"datePublished": "2023-11-06T12:13:09.083Z",
"dateReserved": "2023-10-04T23:59:54.078Z",
"dateUpdated": "2024-09-05T13:52:59.032Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
cve-2023-45162
Vulnerability from cvelistv5
Published
2023-10-13 12:48
Modified
2024-09-17 20:25
Severity ?
EPSS score ?
Summary
Affected 1E Platform versions have a Blind SQL Injection vulnerability that can lead to arbitrary code execution.
Application of the relevant hotfix remediates this issue.
for v8.1.2 apply hotfix Q23166
for v8.4.1 apply hotfix Q23164
for v9.0.1 apply hotfix Q23169
SaaS implementations on v23.7.1 will automatically have hotfix Q23173 applied. Customers with SaaS versions below this are urged to upgrade urgently - please contact 1E to arrange this
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| ▼ | 1E | 1E Platform |
Version: 0 Version: 0 Version: 0 Version: 0 |
|
|
|||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:14:19.735Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-45162",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-17T20:24:59.274547Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-17T20:25:10.039Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "1E Platform",
"vendor": "1E",
"versions": [
{
"changes": [
{
"at": "Q23166",
"status": "unaffected"
}
],
"lessThan": "8.1.2",
"status": "affected",
"version": "0",
"versionType": "Q23166"
},
{
"changes": [
{
"at": "Q23164",
"status": "unaffected"
}
],
"lessThan": "8.4.1",
"status": "affected",
"version": "0",
"versionType": "Q23164"
},
{
"changes": [
{
"at": "Q23169",
"status": "unaffected"
}
],
"lessThan": "9.0.1",
"status": "affected",
"version": "0",
"versionType": "Q23169"
},
{
"changes": [
{
"at": "Q23173",
"status": "unaffected"
}
],
"lessThan": "23.7.1",
"status": "affected",
"version": "0",
"versionType": "Q23173"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Discovered by 1E penetration testing"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Affected 1E Platform versions have a Blind SQL Injection vulnerability that can lead to arbitrary code execution.\u0026nbsp;\u003cbr\u003e\u003cbr\u003eApplication of the relevant hotfix remediates this issue.\u003cbr\u003e\u003cbr\u003efor v8.1.2 apply hotfix Q23166\u003cbr\u003efor v8.4.1 apply hotfix Q23164\u003cbr\u003efor v9.0.1 apply hotfix Q23169\u003cbr\u003e\u003cbr\u003eSaaS implementations on v23.7.1 will automatically have hotfix Q23173 applied. Customers with SaaS versions below this are urged to upgrade urgently - please contact 1E to arrange this"
}
],
"value": "Affected 1E Platform versions have a Blind SQL Injection vulnerability that can lead to arbitrary code execution.\u00a0\n\nApplication of the relevant hotfix remediates this issue.\n\nfor v8.1.2 apply hotfix Q23166\nfor v8.4.1 apply hotfix Q23164\nfor v9.0.1 apply hotfix Q23169\n\nSaaS implementations on v23.7.1 will automatically have hotfix Q23173 applied. Customers with SaaS versions below this are urged to upgrade urgently - please contact 1E to arrange this"
}
],
"impacts": [
{
"capecId": "CAPEC-108",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-108 Command Line Execution through SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-19T08:36:45.745Z",
"orgId": "4a68d2b9-b68a-4765-95bd-17f35092666b",
"shortName": "1E"
},
"references": [
{
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
}
],
"source": {
"discovery": "INTERNAL"
},
"title": "Blind SQL vulnerability in 1E platform",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "4a68d2b9-b68a-4765-95bd-17f35092666b",
"assignerShortName": "1E",
"cveId": "CVE-2023-45162",
"datePublished": "2023-10-13T12:48:01.359Z",
"dateReserved": "2023-10-04T23:59:54.079Z",
"dateUpdated": "2024-09-17T20:25:10.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2023-11-06 13:15
Modified
2024-11-21 08:26
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
The 1E-Exchange-URLResponseTime instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the URL parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients.
To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-URLResponseTime instruction to v20.1 by uploading it through the 1E Platform instruction upload UI
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:1e:platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "311D316D-840E-4A1E-9555-A654300BCE76",
"versionEndExcluding": "20.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The 1E-Exchange-URLResponseTime instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the URL parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients.\n\nTo remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-URLResponseTime instruction to v20.1 by uploading it through the 1E Platform instruction upload UI"
},
{
"lang": "es",
"value": "La instrucci\u00f3n 1E-Exchange-URLResponseTime que forma parte del paquete de productos Network disponible en 1E Exchange no valida correctamente el par\u00e1metro URL, lo que permite una entrada especialmente manipulada para realizar la ejecuci\u00f3n de c\u00f3digo arbitrario con permisos del SYSTEM. Para solucionar este problema, descargue el paquete de producto de red actualizado desde 1E Exchange y actualice la instrucci\u00f3n 1E-Exchange-URLResponseTime a v20.1 carg\u00e1ndola a trav\u00e9s de la interfaz de usuario de carga de instrucciones de 1E Platform."
}
],
"id": "CVE-2023-45161",
"lastModified": "2024-11-21T08:26:27.807",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security@1e.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-06T13:15:09.730",
"references": [
{
"source": "security@1e.com",
"tags": [
"Product"
],
"url": "https://exchange.1e.com/product-packs/network/"
},
{
"source": "security@1e.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://exchange.1e.com/product-packs/network/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
}
],
"sourceIdentifier": "security@1e.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@1e.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-08-01 17:16
Modified
2024-09-06 13:23
Severity ?
4.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
The 1E Platform's component utilized the third-party Duende Identity Server, which suffered from an open redirect vulnerability, permitting an attacker to control the redirection path of end users.
Note: 1E Platform's component utilizing the third-party Duende Identity Server has been updated with the patch that includes the fix.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@1e.com | https://www.1e.com/trust-security-compliance/cve-info/ | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:1e:platform:8.4.1.229:*:*:*:*:*:*:*",
"matchCriteriaId": "85744E52-16DF-43C6-AD32-9F7900998AB7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:1e:platform:23.7.1.80:*:*:*:*:*:*:*",
"matchCriteriaId": "B4D00FCE-9011-45B2-9BA2-0E2115948E39",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:1e:platform:23.11.1.15:*:*:*:*:*:*:*",
"matchCriteriaId": "EA3612F8-C90E-474B-8243-0543BCAAFE7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:1e:platform:24.7:*:*:*:*:*:*:*",
"matchCriteriaId": "68C25D73-241A-4143-AB09-516A54FD1C3A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The 1E Platform\u0027s component utilized the third-party Duende Identity Server, which suffered from an open redirect vulnerability, permitting an attacker to control the redirection path of end users.\n\nNote: 1E Platform\u0027s component utilizing the third-party Duende Identity Server has been updated with the patch that includes the fix."
},
{
"lang": "es",
"value": " El servidor de identidad utilizado por 1E Platform podr\u00eda permitir la redirecci\u00f3n de URL a sitios que no son de confianza. Nota: El servidor de identidad en la plataforma 1E se actualiz\u00f3 con el parche necesario."
}
],
"id": "CVE-2024-7211",
"lastModified": "2024-09-06T13:23:07.237",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security@1e.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-08-01T17:16:09.727",
"references": [
{
"source": "security@1e.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
}
],
"sourceIdentifier": "security@1e.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-601"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-06 13:15
Modified
2024-11-21 08:42
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
The 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients.
To remediate this issue DELETE the instruction “Show dialogue with caption %Caption% and message %Message%” from the list of instructions in the Settings UI, and replace it with the new instruction 1E-Exchange-ShowNotification instruction available in the updated End-User Interaction product pack. The new instruction should show as “Show %Type% type notification with header %Header% and message %Message%” with a version of 7.1 or above.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:1e:platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "50B288B4-2B67-4912-B7E3-CD9DD70E0AEC",
"versionEndExcluding": "23.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nThe 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients.\n\nTo remediate this issue DELETE the instruction\u00a0\u201cShow dialogue with caption %Caption% and message %Message%\u201d from the list of instructions in the Settings UI, and replace it with the new instruction\u00a01E-Exchange-ShowNotification instruction available in the updated End-User Interaction product pack. The new instruction should show as\u00a0\u201cShow %Type% type notification with header %Header% and message %Message%\u201d with a version of 7.1 or above."
},
{
"lang": "es",
"value": "La instrucci\u00f3n 1E-Exchange-DisplayMessage que forma parte del paquete de productos End-User Interaction disponible en 1E Exchange no valida correctamente los par\u00e1metros Caption o Message, lo que permite una entrada especialmente manipulada para realizar la ejecuci\u00f3n de c\u00f3digo arbitrario con permisos del SYSTEM. Para solucionar este problema, ELIMINAR la instrucci\u00f3n \"Mostrar di\u00e1logo con el t\u00edtulo %Caption% y el mensaje %Message%\" de la lista de instrucciones en la Interfaz de Usuario de Configuraci\u00f3n y reemplazarla con la nueva instrucci\u00f3n 1E-Exchange-ShowNotification disponible en la versi\u00f3n final actualizada. Paquete de productos de interacci\u00f3n del usuario. La nueva instrucci\u00f3n deber\u00eda mostrarse como \"Mostrar notificaci\u00f3n de tipo %Type% con encabezado %Header% y mensaje %Message%\" con una versi\u00f3n de 7.1 o superior."
}
],
"id": "CVE-2023-5964",
"lastModified": "2024-11-21T08:42:52.617",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security@1e.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-06T13:15:10.187",
"references": [
{
"source": "security@1e.com",
"tags": [
"Product"
],
"url": "https://exchange.1e.com/product-packs/end-user-interaction/"
},
{
"source": "security@1e.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://exchange.1e.com/product-packs/end-user-interaction/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
}
],
"sourceIdentifier": "security@1e.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@1e.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-11-06 13:15
Modified
2024-11-21 08:26
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.2 (High) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Summary
The 1E-Exchange-CommandLinePing instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the input parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients.
To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-CommandLinePing instruction to v18.1 by uploading it through the 1E Platform instruction upload UI
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:1e:platform:*:*:*:*:*:*:*:*",
"matchCriteriaId": "BF56D447-5E51-4622-9380-60D1FAFD1392",
"versionEndExcluding": "18.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "\nThe 1E-Exchange-CommandLinePing instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the input parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients.\n\nTo remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-CommandLinePing instruction to v18.1 by uploading it through the 1E Platform instruction upload UI\n\n"
},
{
"lang": "es",
"value": "La instrucci\u00f3n 1E-Exchange-CommandLinePing que forma parte del paquete de productos Network disponible en 1E Exchange no valida correctamente el par\u00e1metro de entrada, lo que permite una entrada especialmente manipulada para realizar la ejecuci\u00f3n de c\u00f3digo arbitrario con permisos del SYSTEM. Para solucionar este problema, descargue el paquete de producto de red actualizado desde 1E Exchange y actualice la instrucci\u00f3n 1E-Exchange-CommandLinePing a v18.1 carg\u00e1ndola a trav\u00e9s de la interfaz de usuario de carga de instrucciones de 1E Platform."
}
],
"id": "CVE-2023-45163",
"lastModified": "2024-11-21T08:26:28.060",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security@1e.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-06T13:15:09.807",
"references": [
{
"source": "security@1e.com",
"tags": [
"Product"
],
"url": "https://https://exchange.1e.com/product-packs/network/"
},
{
"source": "security@1e.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://https://exchange.1e.com/product-packs/network/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
}
],
"sourceIdentifier": "security@1e.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@1e.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-13 13:15
Modified
2024-11-21 08:26
Severity ?
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Affected 1E Platform versions have a Blind SQL Injection vulnerability that can lead to arbitrary code execution.
Application of the relevant hotfix remediates this issue.
for v8.1.2 apply hotfix Q23166
for v8.4.1 apply hotfix Q23164
for v9.0.1 apply hotfix Q23169
SaaS implementations on v23.7.1 will automatically have hotfix Q23173 applied. Customers with SaaS versions below this are urged to upgrade urgently - please contact 1E to arrange this
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@1e.com | https://www.1e.com/trust-security-compliance/cve-info/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.1e.com/trust-security-compliance/cve-info/ | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:1e:platform:8.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A123674D-27C6-4374-B626-C208F0394789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:1e:platform:8.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C4D3240B-F056-4BA4-974C-7D6B5D8B36DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:1e:platform:9.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5BB2EBF4-B0DD-4ACF-85D6-C2D780A4AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:1e:platform:23.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "68D28A90-56C3-429A-B94D-FA0A82D40359",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Affected 1E Platform versions have a Blind SQL Injection vulnerability that can lead to arbitrary code execution.\u00a0\n\nApplication of the relevant hotfix remediates this issue.\n\nfor v8.1.2 apply hotfix Q23166\nfor v8.4.1 apply hotfix Q23164\nfor v9.0.1 apply hotfix Q23169\n\nSaaS implementations on v23.7.1 will automatically have hotfix Q23173 applied. Customers with SaaS versions below this are urged to upgrade urgently - please contact 1E to arrange this"
},
{
"lang": "es",
"value": "Las versiones afectadas de 1E Platform tienen una vulnerabilidad de inyecci\u00f3n Blind SQL que puede provocar la ejecuci\u00f3n de c\u00f3digo arbitrario. La aplicaci\u00f3n del hotfix correspondiente soluciona este problema. para v8.1.2 aplique hotfix Q23166 para v8.4.1 aplique hotfix Q23164 para v9.0.1 aplique hotfix Q23169 Las implementaciones de SaaS en v23.7.1 tendr\u00e1n autom\u00e1ticamente aplicado el hotfix Q23173. Se insta a los clientes con versiones de SaaS inferiores a esta a actualizar urgentemente; comun\u00edquese con 1E para organizar esto."
}
],
"id": "CVE-2023-45162",
"lastModified": "2024-11-21T08:26:27.933",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.1,
"impactScore": 6.0,
"source": "security@1e.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-13T13:15:11.910",
"references": [
{
"source": "security@1e.com",
"tags": [
"Vendor Advisory"
],
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://www.1e.com/trust-security-compliance/cve-info/"
}
],
"sourceIdentifier": "security@1e.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "security@1e.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}