Vulnerability Details : CVE-2023-5964
The 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients.
To remediate this issue DELETE the instruction “Show dialogue with caption %Caption% and message %Message%” from the list of instructions in the Settings UI, and replace it with the new instruction 1E-Exchange-ShowNotification instruction available in the updated End-User Interaction product pack. The new instruction should show as “Show %Type% type notification with header %Header% and message %Message%” with a version of 7.1 or above.
Vulnerability category: Input validation
Products affected by CVE-2023-5964
- cpe:2.3:a:1e:platform:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-5964
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 39 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-5964
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.2
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
1.2
|
5.9
|
NIST | |
9.9
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
3.1
|
6.0
|
1E Limited |
CWE ids for CVE-2023-5964
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: security@1e.com (Secondary)
References for CVE-2023-5964
-
https://www.1e.com/trust-security-compliance/cve-info/
CVE Info - 1EVendor Advisory
-
https://exchange.1e.com/product-packs/end-user-interaction/
End-user Interaction – 1E ExchangeProduct
Jump to