Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via overwriting uninitialised variables.
References
Link | Resource |
---|---|
https://starlabs.sg/advisories/23/23-1719/ | Exploit Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: STAR_Labs
Published: 2023-11-01T09:04:19.695Z
Updated: 2023-11-01T09:04:19.695Z
Reserved: 2023-03-30T09:19:45.104Z
Link: CVE-2023-1719
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-11-01T10:15:09.373
Modified: 2023-11-09T20:52:06.307
Link: CVE-2023-1719
JSON object: View
Redhat Information
No data.
CWE