Lucene search

[email protected]NVD:CVE-2023-1719

HistoryNov 01, 2023 - 10:15 a.m.

CVE-2023-1719

2023-11-0110:15:09

CWE-665

[email protected]

web.nvd.nist.gov

bitrix24

vulnerability

global variable extraction

remote attackers

unauthenticated

javascript code

php code

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.021

Percentile

89.5%

JSON

Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via overwriting uninitialised variables.

Affected configurations

Nvd

Node

bitrix24bitrix24Match22.0.300

VendorProductVersionCPE
bitrix24bitrix2422.0.300cpe:2.3:a:bitrix24:bitrix24:22.0.300:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
bitrix24	bitrix24	22.0.300	cpe:2.3:a:bitrix24:bitrix24:22.0.300:::::::*

References

starlabs.sg/advisories/23/23-1719/

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.1

Confidence

High

EPSS

0.021

Percentile

89.5%

JSON

Related for NVD:CVE-2023-1719

cvelist1 cve1 vulnrichment1 prion1 nuclei1