CVE-2023-5964

06.11.2023, 13:15

The 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients.

To remediate this issue DELETE the instructionShow dialogue with caption %Caption% and message %Message% from the list of instructions in the Settings UI, and replace it with the new instruction1E-Exchange-ShowNotification instruction available in the updated End-User Interaction product pack. The new instruction should show asShow %Type% type notification with header %Header% and message %Message% with a version of 7.1 or above.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.9 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
1E	CNA	9.9 CRITICAL	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 40%

Vendor	Product	Version
1e	platform	𝑥 < 23.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-20 - Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References

https://exchange.1e.com/product-packs/end-user-interaction/

https://www.teamviewer.com/en/resources/trust-center/security-bulletins/1e-2023-2006/

https://exchange.1e.com/product-packs/end-user-interaction/

https://www.1e.com/trust-security-compliance/cve-info/