1C is not something one single and identical.
There are many things and very different things:
It should be distinguished:
should be distinguished
It should be distinguished
Example:
In the previous generation (the current V8, already version 8.4) which is V7 (more precisely version 7.7, known as V77) there was just a wonderful vulnerability:
If your DBMS used by 1C is file (with SQL version more complicated), it was enough to delete one file and you got full admin access to the database.
After you logged in - this file could be returned back. So that no one would notice. The rights of you who have already logged into the system remained admin (full)
It is clear that this is a cant of the platform manufacturer.
But after all, it is easily fixed by the system administrator (prohibition to change and delete this file).
Whose bug is this then?
Or, in 1C, you can run external pieces of code (just "open any file and execute")
But at the same time, the platform of the modern version allows you to prohibit an ordinary user from doing this.
The platform warns about opening such files, etc.
The platform allows you to limit what is available for reading and writing in the database to the user (such external code is executed on behalf of some user and with his rights).
Whose jamb will it be and whether it is considered a vulnerability when users still have such rights (and in the vast majority of cases these rights are not limited in any way).
That is, it makes sense to consider for vulnerability only a very specific system configured and operated in a particular enterprise.

What are the vulnerabilities in 1C?

Start here: its.1c.ru , wiki .

1C is a platform, it all depends on the specific configuration. In typical configurations, no code entered by the user in the form of text is executed, therefore, injections are not possible. Only if access to external files is open to him, as the user stratosmi wrote about above , then the attacker can, within the competence of his rights, execute any request to the database. But then again - if his rights are clearly limited to user access, then even with open external files, the system will not allow you to change objects programmatically.

1C usually does not look outside, only now it is starting to develop. So while I haven't heard any information about hacks.

Vulnerability 1C is a big topic, because. Indeed, the vulnerability can be both the platform itself and the solutions written on it. Nobody investigates these vulnerabilities, because. the value of the information that will become available to the cracker is negligible (well, the majority seems to think so).
From what I have already encountered:
1) a vulnerability associated with the replacement of "built-in" processing in the platform. This seems to be a feature, not a bug. This functionality is described in the article https://infostart.ru/1c/articles/369487/. It turns out that it is enough for you to replace the "built-in" processing with your own on the client side (thick client or thin). And this despite the fact that you may be blocked from opening files from the 1C interface at the rights level. But in my opinion this is a clear bug, because. allows you to essentially modify the client part of the application (and even the "server code" from the same processing will run in the thin client). I have not studied how the platform behaves with such processing on the web. Further, there may already be many different scenarios for using the "new" processing.
2) downloading detailed configuration information and displaying this detail in the web client debugger. Probably this is also considered a feature, because. speaks about the openness of the 1C platform. Turn on debugging on the web and you will see very detailed configuration information, metadata object names, forms, modules, and so on. And it's all in the open. It's one thing - a configuration written from scratch where we clearly don't know what's inside a "function" or "procedure". Another thing is typical configurations written on the basis of the BSP, where we know what and where is performed on the server, where and what is performed in privileged mode, etc. And if in a desktop application this is at least somehow hidden inside the application, then on the web everything is open: you can perform the necessary procedures / functions with a simple post-request. The main thing, of course, is to log in