CVE-2023-45159

Name of the Vulnerable Software and Affected Versions 1E Client versions 8.1 through 9.0

Description The 1E Client installer can perform arbitrary file deletion on protected files. A non-privileged user could provide a symbolic link or Windows junction to point to a protected directory in the installer that the 1E Client would then clear on service startup.

Recommendations For version 8.1, use hotfix Q23097. For version 8.4, use hotfix Q23105. For version 9.0, use hotfix Q23115. For SaaS customers, use 1EClient version 23.7 plus hotfix Q23121. As a temporary workaround, consider disabling the use of symbolic links or Windows junctions in the installer until a hotfix is applied.