CVE-2023-5964

Name of the Vulnerable Software and Affected Versions 1E Exchange End-User Interaction product pack versions prior to 7.1

Description The 1E-Exchange-DisplayMessage instruction does not properly validate the Caption or Message parameters, allowing for arbitrary code execution with SYSTEM permissions. This issue only affects Windows clients.

Recommendations To remediate this issue, delete the instruction “Show dialogue with caption %Caption% and message %Message%” from the list of instructions in the Settings UI, and replace it with the new instruction 1E-Exchange-ShowNotification instruction available in the updated End-User Interaction product pack, which should show as “Show %Type% type notification with header %Header% and message %Message%” with a version of 7.1 or above.