Vulnerabilities > 1E

DATE CVE VULNERABILITY TITLE RISK
2024-08-01 CVE-2024-7211 Open Redirect vulnerability in 1E Platform
The 1E Platform's component utilized the third-party Duende Identity Server, which suffered from an open redirect vulnerability, permitting an attacker to control the redirection path of end users. Note: 1E Platform's component utilizing the third-party Duende Identity Server has been updated with the patch that includes the fix.
network
low complexity
1e CWE-601
6.1
2023-11-06 CVE-2023-45161 Unspecified vulnerability in 1E Platform
The 1E-Exchange-URLResponseTime instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the URL parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions.
network
low complexity
1e
7.2
2023-11-06 CVE-2023-45163 Unspecified vulnerability in 1E Platform
The 1E-Exchange-CommandLinePing instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the input parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions.
network
low complexity
1e
7.2
2023-11-06 CVE-2023-5964 Unspecified vulnerability in 1E Platform
The 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions.
network
low complexity
1e
7.2
2023-10-13 CVE-2023-45162 SQL Injection vulnerability in 1E Platform
Affected 1E Platform versions have a Blind SQL Injection vulnerability that can lead to arbitrary code execution.  Application of the relevant hotfix remediates this issue. for v8.1.2 apply hotfix Q23166 for v8.4.1 apply hotfix Q23164 for v9.0.1 apply hotfix Q23169 SaaS implementations on v23.7.1 will automatically have hotfix Q23173 applied.
network
low complexity
1e CWE-89
critical
9.8
2023-10-05 CVE-2023-45160 Files or Directories Accessible to External Parties vulnerability in 1E Client
In the affected version of the 1E Client, an ordinary user could subvert downloaded instruction resource files, e.g., to substitute a harmful script.
network
low complexity
1e CWE-552
8.8
2023-10-05 CVE-2023-45159 Link Following vulnerability in 1E Client
1E Client installer can perform arbitrary file deletion on protected files.   A non-privileged user could provide a symbolic link or Windows junction to point to a protected directory in the installer that the 1E Client would then clear on service startup.
local
low complexity
1e CWE-59
8.4
2020-12-29 CVE-2020-27645 Unquoted Search Path or Element vulnerability in 1E Client 5.0.0.745
The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe.
network
low complexity
1e CWE-428
8.8
2020-12-29 CVE-2020-27644 Unquoted Search Path or Element vulnerability in 1E Client 5.0.0.745
The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unquoted path when executing %PROGRAMFILES%\1E\Client\Tachyon.Performance.Metrics.exe.
network
low complexity
1e CWE-428
8.8
2020-12-29 CVE-2020-27643 Link Following vulnerability in 1E Client 4.1.0.267/5.0.0.745
The %PROGRAMDATA%\1E\Client directory in 1E Client 5.0.0.745 and 4.1.0.267 allows remote authenticated users and local users to create and modify files in protected directories (where they would not normally have access to create or modify files) via the creation of a junction point to a system directory.
network
low complexity
1e CWE-59
6.5