CVE-2024-34887

Insufficiently protected credentials in AD/LDAP server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to send AD/LDAP administrators account passwords to an arbitrary server via HTTP POST request...

CVE-2024-34883

Insufficiently protected credentials in DAV server settings in 1C-Bitrix Bitrix24 23.300.100 allow remote administrators to read proxy-server accounts passwords via HTTP GET request...

Exploit for CVE-2025-67886

CVE-2025-67886 Bi...

📄 Bitrix24 25.100.300 Remote Code Execution

Bitrix24 versions 25.100.300 and below have a vulnerability that is located within the Translate Module, which allows users to upload and extract archive files into a temporary directory. However, the application fails to properly verify the contents of these archives before extracting them. This...

EUVD-2020-20690

Malware in sbrugna...

EUVD-2020-5977

Malware in sbrugna...

EUVD-2020-5734

Malware in sbrugna...

EUVD-2023-23940

Malicious code in bioql PyPI...

EUVD-2023-23943

Malicious code in bioql PyPI...

EUVD-2023-23937

Malicious code in bioql PyPI...

EUVD-2023-23936

Malicious code in bioql PyPI...

EUVD-2023-23938

Malicious code in bioql PyPI...

EUVD-2023-23939

Malicious code in bioql PyPI...

EUVD-2024-47640

Malicious code in bioql PyPI...

CVE-2023-1717

Prototype pollution in bitrix/templates/bitrix24/components/bitrix/menu/leftvertical/script.js in Bitrix24 22.0.300 allows remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege...

CVE-2023-1715

A logic error when using mbstrpos to check for potential XSS payload in Bitrix24 22.0.300 allows attackers to bypass XSS sanitisation via placing HTML tags at the begining of the payload...

CVE-2023-1716

Cross-site scripting XSS vulnerability in Invoice Edit Page in Bitrix24 22.0.300 allows attackers to execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege...

CVE-2023-1719

Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to 1 enumerate attachments on the server and 2 execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim ha...

CVE-2023-1714

Unsafe variable extraction in bitrix/modules/main/classes/general/useroptions.php in Bitrix24 22.0.300 allows remote authenticated attackers to execute arbitrary code via 1 appending arbitrary content to existing PHP files or 2 PHAR deserialization...

CVE-2023-1718

Improper file stream access in /desktopapp/file.ajax.php?action=uploadfile in Bitrix24 22.0.300 allows unauthenticated remote attackers to cause denial-of-service via a crafted "tmpurl"...