HIGH🇵🇱 Wersja polska

CVE-2023-45159

CVSS 8.4v3.1pub. 2023-10-05upd. 2025-05-20

1E Client installer can perform arbitrary file deletion on protected files.   A non-privileged user could provide a symbolic link or Windows junction to point to a protected directory in the installer that the 1E Client would then clear on service startup. A hotfix is available from the 1E support portal that forces the 1E Client to check for a symbolic link or junction and if it finds one refuses to use that path and instead creates a path involving a random GUID. for v8.1 use hotfix Q23097 for v8.4 use hotfix Q23105 for v9.0 use hotfix Q23115 for SaaS customers, use 1EClient v23.7 plus hotfix Q23121

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • 1e Client

    APP
    1E
    23.7.1.1518.1.2.628.4.1.1599.0.1.88
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2023-45160HIGH8.8ten sam produkt

In the affected version of the 1E Client, an ordinary user could subvert downloaded instruction resource files...

CVE-2020-16268HIGH8.8ten sam produkt

The MSI installer in 1E Client 4.1.0.267 and 5.0.0.745 allows remote authenticated users and local users to ga...

CVE-2020-27644HIGH8.8ten sam produkt

The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unquoted path when executing %PROGRAMFILES%\...

CVE-2020-27645HIGH8.8ten sam produkt

The Inventory module of the 1E Client 5.0.0.745 doesn't handle an unquoted path when executing %PROGRAMFILES%\...

CVE-2020-27643MEDIUM6.5ten sam produkt

The %PROGRAMDATA%\1E\Client directory in 1E Client 5.0.0.745 and 4.1.0.267 allows remote authenticated users a...