CVE-2023-1714

Unsafe variable extraction in bitrix/modules/main/classes/general/useroptions.php in Bitrix24 22.0.300 allows remote authenticated attackers to execute arbitrary code via 1 appending arbitrary content to existing PHP files or 2 PHAR deserialization...

CVE-2023-1713

Insecure temporary file creation in bitrix/modules/crm/lib/order/import/instagram.php in Bitrix24 22.0.300 hosted on Apache HTTP Server allows remote authenticated attackers to execute arbitrary code via uploading a crafted ".htaccess" file...

Input validation

Improper file stream access in /desktopapp/file.ajax.php?action=uploadfile in Bitrix24 22.0.300 allows unauthenticated remote attackers to cause denial-of-service via a crafted "tmpurl"...

PT-2023-6693 · Bitrix +1 · Bitrix24 +1

Name of the Vulnerable Software and Affected Versions: Bitrix24 version 22.0.300 Description: A logic error in the mb strpos function allows attackers to bypass XSS sanitization by placing HTML tags at the beginning of the payload, potentially leading to a cross-site scripting XSS attack. This...