Headline
CVE-2023-5964: End-user Interaction - 1E Exchange
The 1E-Exchange-DisplayMessageinstruction that is part of the End-User Interaction product pack available on the 1E Exchange does not properly validate the Caption or Message parameters, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions.
To remediate this issue DELETE the instruction “Show dialogue with caption %Caption% and message %Message%” from the list of instructions in the Settings UI, and replace it with the new instruction 1E-Exchange-ShowNotification instruction available in the updated End-User Interaction product pack. The new instruction should show as “Show %Type% type notification with header %Header% and message %Message%” with a version of 7.1 or above.
Description
This product pack is to notify the end-users with some popup notification with caption, some text message or information.
Key Features
- Display the information, warning and error messages to user.
Setup
- This Product Pack contains instructions.
- Upload the Product pack either with the help of Tachyon Product Pack Deployment Tool or directly by clicking on Upload button from Instruction set in 1E Platform.
- Create an Instruction Set named End-user Interaction and move all the instructions from Unassigned Set to this set, unless you use Product Pack Deployment Tool which creates it automatically.
Usage
- Go to Explorer and search for Show <Type>" type dialog box with header <Header> and message <Message>
- Supply the Type, Header and Message in the instruction and click Perform this Action.
- The users should get a notification pop-up on their device.
Components
Description
Show notification on the end-user device with specified type of dialog box containing header and message
Readable Payload
Show %Type% type notification with header %Header% and message %Message%