Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
1E-Exchange-DisplayMessage instruction allows for arbitrary code execution
Vulnerability Description
The 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients. To remediate this issue DELETE the instruction “Show dialogue with caption %Caption% and message %Message%” from the list of instructions in the Settings UI, and replace it with the new instruction 1E-Exchange-ShowNotification instruction available in the updated End-User Interaction product pack. The new instruction should show as “Show %Type% type notification with header %Header% and message %Message%” with a version of 7.1 or above.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Vulnerability Type
输入验证不恰当
Vulnerability Title
1E Platform 安全漏洞
Vulnerability Description
1E Platform是1E公司的一种终端端点管理和自动化解决方案。 1E Platform–Exchange Product Pack–End-User Interaction 23之前版本存在安全漏洞,该漏洞源于没有正确验证Caption或Message参数,导致攻击者可通过特制的输入使用SYSTEM权限执行任意代码。
CVSS Information
N/A
Vulnerability Type
N/A