We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-5964

1E-Exchange-DisplayMessage instruction allows for arbitrary code execution



Description

The 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. This instruction only runs on Windows clients. To remediate this issue DELETE the instruction “Show dialogue with caption %Caption% and message %Message%” from the list of instructions in the Settings UI, and replace it with the new instruction 1E-Exchange-ShowNotification instruction available in the updated End-User Interaction product pack. The new instruction should show as “Show %Type% type notification with header %Header% and message %Message%” with a version of 7.1 or above.

Reserved 2023-11-06 | Published 2023-11-06 | Updated 2024-09-05 | Assigner 1E


CRITICAL: 9.9CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-20 Improper Input Validation

Product status

Default status
affected

Any version
affected

Credits

Lockheed Martin red team finder

References

exchange.1e.com/product-packs/end-user-interaction/

www.1e.com/trust-security-compliance/cve-info/

cve.org (CVE-2023-5964)

nvd.nist.gov (CVE-2023-5964)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-5964

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.

© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.