PT-2024-7261 · 1с · Bitrix24

Name of the Vulnerable Software and Affected Versions: 1C-Bitrix Bitrix24 version 23.300.100 Description: The issue is related to insufficiently protected credentials in SMTP server settings, allowing remote administrators to read SMTP accounts passwords via an HTTP GET request. This can be...

PT-2024-7264 · 1с · Bitrix24 +1

Name of the Vulnerable Software and Affected Versions: 1C-Bitrix Bitrix24 version 23.300.100 Description: The issue is related to insufficiently protected credentials in the DAV server settings, allowing remote administrators to read proxy-server accounts passwords via an HTTP GET request. This...

PT-2024-7263 · 1с · Bitrix24 +1

Name of the Vulnerable Software and Affected Versions: 1C-Bitrix Bitrix24 version 23.300.100 Description: The issue concerns insufficiently protected credentials in SMTP server settings, allowing remote administrators to send SMTP account passwords to an arbitrary server via an HTTP POST request...

PT-2024-7262 · Microsoft +1 · Exchange Server +1

Name of the Vulnerable Software and Affected Versions: 1C-Bitrix Bitrix24 version 23.300.100 Description: The issue is related to insufficiently protected credentials in DAV server settings, allowing remote administrators to read Exchange account passwords via an HTTP GET request. This can permit...

VulnCheck KEV: CVE-2020-13483

The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via the itemsITEMSID parameter to the components/bitrix/mobileapp.list/ajax.php/ URI...

The vulnerability of the Bitrix24 business management service lies in the absence of a proper HTTP response header, allowing attackers to execute arbitrary JavaScript code.

The vulnerability of the bitrix/modules/main/tools.php component of the Bitrix24 business management service is related to the absence of a MIME response header. Exploiting this vulnerability allows an attacker to execute arbitrary JavaScript code by uploading a created HTML file through...

The vulnerability of the `desktop_app/file.ajax.php?action=uploadfile` component in the main module of the Bitrix24 business management service allows a attacker to cause a service failure.

The vulnerability of the desktopapp/file.ajax.php?action=uploadfile component in the main module of the Bitrix24 business management service is related to the execution of a loop with an unavailable exit condition. Exploiting this vulnerability could allow a malicious actor to cause service...

The vulnerability in the component bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js of the main service module for managing Bitrix24 allows a hacker to execute arbitrary JavaScript code.

The vulnerability of the component bitrix/templates/bitrix24/components/bitrix/menu/leftvertical/script.js, which is part of the main service for managing Bitrix24, relates to uncontrolled changes to prototype object attributes. Exploiting this vulnerability could allow an attacker to execute...

The vulnerability in the bitrix/modules/main/tools.php component of the Bitrix24 business management service allows a malicious individual to gain unauthorized access to protected information and execute arbitrary JavaScript code.

The vulnerability of the bitrix/modules/main/tools.php component of the Bitrix24 business management service is related to initialization errors. Exploiting this vulnerability could allow an attacker, operating remotely, to gain unauthorized access to protected information and execute arbitrary...

The vulnerability of the mb_strpos() function in the Bitrix24 business management service allows a attacker to perform XSS attacks.

The vulnerability of the mbstrpos function in the Bitrix24 business management service is related to the lack of measures taken to neutralize the script injection scenario in web pages. Exploiting this vulnerability allows a remote attacker to execute XSS attacks by embedding HTML tags at the...

The vulnerability in the `bitrix/modules/main/classes/general/user_options.php` file of the `main` module of the Bitrix24 business management service allows a hacker to execute arbitrary code and gain increased privileges.

The vulnerability of the bitrix/modules/main/classes/general/useroptions.php file in the Bitrix24 business management module is related to improper external manipulation of the file’s name or path. Exploiting this vulnerability allows a malicious actor to execute arbitrary code remotely and...

The vulnerability of the Invoice Edit Page of the Bitrix24 business management service allows a attacker to perform XSS attacks.

The vulnerability of the Invoice Edit Page of the Bitrix24 business management service relates to the failure to take measures to neutralize the script in the web page’s attributes. Exploiting this vulnerability allows a malicious actor to carry out XSS attacks remotely...

CVE-2023-1719

Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to 1 enumerate attachments on the server and 2 execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim ha...

CVE-2023-1715

A logic error when using mbstrpos to check for potential XSS payload in Bitrix24 22.0.300 allows attackers to bypass XSS sanitisation via placing HTML tags at the begining of the payload...

CVE-2023-1717

Prototype pollution in bitrix/templates/bitrix24/components/bitrix/menu/leftvertical/script.js in Bitrix24 22.0.300 allows remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege...

CVE-2023-1718

Improper file stream access in /desktopapp/file.ajax.php?action=uploadfile in Bitrix24 22.0.300 allows unauthenticated remote attackers to cause denial-of-service via a crafted "tmpurl"...

CVE-2023-1714

Unsafe variable extraction in bitrix/modules/main/classes/general/useroptions.php in Bitrix24 22.0.300 allows remote authenticated attackers to execute arbitrary code via 1 appending arbitrary content to existing PHP files or 2 PHAR deserialization...

CVE-2023-1720

Lack of mime type response header in Bitrix24 22.0.300 allows authenticated remote attackers to execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via uploading a crafted HTML file through...

CVE-2023-1716

Cross-site scripting XSS vulnerability in Invoice Edit Page in Bitrix24 22.0.300 allows attackers to execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege...

CVE-2023-1716

Cross-site scripting XSS vulnerability in Invoice Edit Page in Bitrix24 22.0.300 allows attackers to execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege...