Vulnerability Details : CVE-2023-1719
Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via overwriting uninitialised variables.
Products affected by CVE-2023-1719
- cpe:2.3:a:bitrix24:bitrix24:22.0.300:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-1719
2.64%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 91 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-1719
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
STAR Labs SG Pte. Ltd. | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2023-1719
-
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.Assigned by:
- info@starlabs.sg (Secondary)
- nvd@nist.gov (Primary)
References for CVE-2023-1719
-
https://starlabs.sg/advisories/23/23-1719/
(CVE-2023-1719) Bitrix24 Insecure Global Variable Extraction | STAR LabsExploit;Third Party Advisory
Jump to