Bitrix24 <=20.0.0 - Cross-Site Scripting

The Web Application Firewall in Bitrix24 up to and including 20.0.0 allows XSS via the itemsITEMSID parameter to the components/bitrix/mobileapp.list/ajax.php/ URI. id: CVE-2020-13483 info: name: Bitrix24 20.0.0 to mitigate this vulnerability. reference: -...

Bitrix Component - Cross-Site Scripting

Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to 1 enumerate attachments on the server and 2 execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim ha...

MAL-2026-4498 Malicious code in bitrix24-tasks-mcp-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bab6892c4cbccd8f2a92bfc67413a5c5c300a691b104e064f126805e66a3842f build/bitrix24/client.js line 6-7 declares const BITRIX24WEBHOOKURL = process.env.BITRIX24WEBHOOKURL ||...

Malicious code in bitrix24-tasks-mcp-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bab6892c4cbccd8f2a92bfc67413a5c5c300a691b104e064f126805e66a3842f build/bitrix24/client.js line 6-7 declares const BITRIX24WEBHOOKURL = process.env.BITRIX24WEBHOOKURL ||...

EUVD-2025-209734

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged...

CVE-2025-67886

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged...

Bitrix24 代码问题漏洞

Bitrix24 is an enterprise social platform developed by the American company Bitrix. This platform includes features such as online communication, calendar management, and CRM Customer Relationship Management. Versions of Bitrix24 prior to 25.100.300 contained a code vulnerability. This...

CVE-2025-67886

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged...

CVE-2025-67886

CVE-2025-67886 affects Bitrix24 up to version 25.100.300, with the vulnerability residing in the Translate Module. An actor with SOURCE/WRITE permissions can upload an archive containing a PHP file and a crafted .htaccess, which then leads to remote code execution after extraction. Exploitation d...

CVE-2025-67886

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged...

CVE-2025-67886

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged...

WordPress Flamix: Bitrix24 and Contact Form 7 integrations plugin <= 3.1.0 - Unauthenticated Full Path Disclosure vulnerability

Unauthenticated Full Path Disclosure vulnerability discovered by stealthcopter in WordPress Plugin Flamix: Bitrix24 and Contact Form 7 integrations versions = 3.1.0...

CVE-2022-50911

Rejected reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue...

CVE-2022-50911

Bitrix24 is affected by CVE-2022-50911 per connected sources, described as an authenticated remote code execution vulnerability. An attacker with valid credentials could abuse the PHP command-line administration interface by sending crafted POST requests to an admin endpoint to execute arbitrary ...

CVE-2022-50911

...

CVE-2022-50911

...

PT-2026-2387

Name of the Vulnerable Software and Affected Versions Bitrix24 affected versions not specified Description A logged-in attacker can execute arbitrary system commands through the PHP command line admin interface, leading to remote code execution. The attacker leverages this by sending crafted POST...

Bitrix24 安全漏洞

Bitrix24 is a suite of enterprise social platforms from Bitrix USA. The platform includes features such as online communication, calendar management and CRM Customer Relationship Management. A security vulnerability exists in Bitrix24, which originates from authenticated remote code execution, an...

CVE-2024-34891

Insufficiently protected credentials in DAV server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to read Exchange account passwords via HTTP GET request...

CVE-2024-34887

Insufficiently protected credentials in AD/LDAP server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to send AD/LDAP administrators account passwords to an arbitrary server via HTTP POST request...