Published Product Vulnerabilities

CVEID

CVE-2024-7211

PRODUCT

1E Platform

VERSION

– 24.7
– 23.11.1.15
– 23.7.1.80
– 8.4.1.229

PROBLEM TYPE

URL Redirection to Untrusted Site (‘Open Redirect’)

REFERENCES

– https://www.1e.com/trust-security-compliance/cve-info/
– NVD – CVE-2024-7211 (nist.gov)
– CVE – CVE-2024-7211 (mitre.org)
– CVE Record | CVE-2024-7211 (cve.org)
– Security Patch for IdentityServer (CVE-2024-39694) | Duende Software Blog

DESCRIPTION

The 1E Platform’s component utilized the third-party Duende Identity Server, which suffered from an open redirect vulnerability, permitting an attacker to control the redirection path of end users.

Note: 1E Platform’s component using the third-party Duende Identity Server has been updated with the patch that includes the fix.

DATE

31-07-2024

ASSIGNING CNA

1E

CVEID

CVE-2023-5964

PRODUCT

1E Platform – Exchange Product Pack – End-User Interaction

VERSION

<23

PROBLEM TYPE

Improper Input Validation

REFERENCES

https://exchange.1e.com/product-packs/network/
https://www.1e.com/trust-security-compliance/cve-info/

DESCRIPTION

The 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions.

To remediate this issue DELETE the instruction “Show dialogue with caption %Caption% and message %Message%” from the list of instructions in the Settings UI, and replace it with the new instruction 1E-Exchange-ShowNotification instruction available in the updated End-User Interaction product pack. The new instruction should show as “Show %Type% type notification with header %Header% and message %Message%” with a version of 7.1 or above.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

ASSIGNING CNA

1E

CVEID

CVE-2023-45163

PRODUCT

1E Platform – Exchange Product Pack – Network

VERSION

<18.1

PROBLEM TYPE

Improper Input Validation

REFERENCES

https://exchange.1e.com/product-packs/network/
https://www.1e.com/trust-security-compliance/cve-info/

DESCRIPTION

The 1E-Exchange-CommandLinePing instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions.

To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-CommandLinePing instruction to v18.1by uploading it through the 1E Platform instruction upload UI.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

ASSIGNING CNA

1E

CVEID

CVE-2023-45162

PRODUCT

1E Platform

VERSION

– 8.1.2
– 8.4.1
– 9.0.1
– 23.7.1

PROBLEM TYPE

Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

REFERENCES

https://www.1e.com/trust-security-compliance/cve-info/

DESCRIPTION

Affected 1E Platform versions have a Blind SQL Injection vulnerability that can lead to arbitrary code execution.

Application of the relevant hotfix remediates this issue.

for v8.1.2 apply hotfix Q23166
for v8.4.1 apply hotfix Q23164
for v9.0.1 apply hotfix Q23173

SaaS implementations on v23.7.1 will automatically have hotfix Q23173 applied. Customers with SaaS versions below this are urged to upgrade urgently – please contact 1E to arrange this.

CVSS v3.1 Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

ASSIGNING CNA

1E

CVEID

CVE-2023-45161

PRODUCT

1E Platform – Exchange Product Pack – Network

VERSION

<20.1

PROBLEM TYPE

Improper Input Validation

REFERENCES

https://exchange.1e.com/product-packs/network/
https://www.1e.com/trust-security-compliance/cve-info/

DESCRIPTION

The 1E-Exchange-URLResponseTime instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the input parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions.

To remediate this issue download the updated Network product pack from the 1E Exchange and update the 1E-Exchange-URLResponseTime instruction to v20.1by uploading it through the 1E Platform instruction upload UI.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

ASSIGNING CNA

1E

CVEID

CVE-2023-45160

PRODUCT

1E Client for Windows

VERSION

– 8.1.2.62
– 8.4.1.159
– 9.0.1.88
– 23.7.1.151

PROBLEM TYPE

Files or Directories Accessible to External Parties

REFERENCES

https://www.1e.com/trust-security-compliance/cve-info/

DESCRIPTION

In the affected version of the 1E Client, an ordinary user could subvert downloaded instruction resource files, e.g., to substitute a harmful script. by replacing a resource script file created by an instruction at run time with a malicious script. This has been fixed in patch Q23094 as the 1E Client’s temporary directory is now locked down.

CVSS v3.1 Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

ASSIGNING CNA

1E

CVEID

CVE-2023-45159

PRODUCT

1E Client for Windows

VERSION

– 8.1.2.62
– 8.4.1.159
– 9.0.1.88
– 23.7.1.151

PROBLEM TYPE

Improper Link Resolution Before File Access (‘Link Following’)

REFERENCES

https://www.1e.com/trust-security-compliance/cve-info/

DESCRIPTION

1E Client installer can perform arbitrary file deletion on protected files. A non-privileged user could provide a symbolic link or Windows junction to point to a protected directory in the installer that the 1E Client would then clear on service startup.

A hotfix is available from the 1E support portal that forces the 1E Client to check for a symbolic link or junction and if it finds one refuses to use that path and instead creates a path involving a random GUID.

for v8.1 use hotfix Q23097
for v8.4 use hotfix Q23105
for v9.0 use hotfix Q23115

for SaaS customers, use 1EClient v23.7 plus hotfix Q23121

ASSIGNING CNA

1E

CVEID

CVE-2020-16268

PRODUCT

1E Client for Windows

VERSION

– 5.0.x
– 4.1.x

PROBLEM TYPE

Execution with Unnecessary Privileges

REFERENCES

https://help.1e.com/display/GI/1E+Security+Advisory-1E+Client+for+Windows%3A+CVE-2020-16268%2C+CVE-2020-27643%2C+CVE-2020-27644%2C+CVE-2020-27645

DESCRIPTION

The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote authenticated users and local users to gain elevated privileges via the repair option. This applies to installations that have a TRANSFORM (MST) with the option to disable the installation of the Nomad module. An attacker may craft a .reg file in a specific location that will be able to write to any registry key as an elevated user.

CVSS v3.1 Vector AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C/CR:X/IR:X/AR:X/MAV:L/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

https://nvd.nist.gov/vuln/detail/CVE-2020-16268
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16268

ASSIGNING CNA

MITRE

CVEID

CVE-2020-27643

PRODUCT

1E Client for Windows

VERSION

– 5.0.x
– 4.1.x

PROBLEM TYPE

Windows Hard Link

REFERENCES

https://help.1e.com/display/GI/1E+Security+Advisory-1E+Client+for+Windows%3A+CVE-2020-16268%2C+CVE-2020-27643%2C+CVE-2020-27644%2C+CVE-2020-27645

DESCRIPTION

The %PROGRAMDATA%\1E\Client directory in 1E Client 5.0.0.745 and 4.1.0.267 allows remote authenticated users and local users to create and modify files in protected directories (where they would not normally have access to create or modify files) via the creation of a junction point to a system directory. This leads to partial privilege escalation. This vulnerability can be mitigated by changing the permission of the ProgramData\1E\Client directory so that a standard user does not have the ability to create and modify files.

CVSS v3.1 Vector AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N/E:P/RL:O/RC:C

https://nvd.nist.gov/vuln/detail/CVE-2020-27643
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27643

ASSIGNING CNA

MITRE

CVEID

CVE-2020-27644

PRODUCT

1E Client for Windows

VERSION

5.0.x

PROBLEM TYPE

Uncontrolled Search Path Element

REFERENCES

https://help.1e.com/display/GI/1E+Security+Advisory-1E+Client+for+Windows%3A+CVE-2020-16268%2C+CVE-2020-27643%2C+CVE-2020-27644%2C+CVE-2020-27645

DESCRIPTION

The Inventory module of the 1E Client 5.0.0.745 doesn’t handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. This may allow remote authenticated users and local users to gain elevated privileges by placing a malicious file called cryptbase.dll to the C:\Windows\Temp\.

CVSS v3.1 Vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

https://nvd.nist.gov/vuln/detail/CVE-2020-27644
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27644

ASSIGNING CNA

MITRE

PRODUCT

1E Client for Windows

VERSION

5.0.x

PROBLEM TYPE

Uncontrolled Search Path Element

REFERENCES

https://help.1e.com/display/GI/1E+Security+Advisory-1E+Client+for+Windows%3A+CVE-2020-16268%2C+CVE-2020-27643%2C+CVE-2020-27644%2C+CVE-2020-27645

DESCRIPTION

The Inventory module of the 1E Client 5.0.0.745 doesn’t handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe. This may allow remote authenticated users and local users to gain elevated privileges.

CVSS v3.1 Vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C

https://nvd.nist.gov/vuln/detail/CVE-2020-27645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27645

ASSIGNING CNA

MITRE