CVE-2023-1720

CVSS 3.1 Score 8.0 of 10 (high)

Details

Published Nov 1, 2023

Updated: Nov 9, 2023

CWE ID 434

Summary

CVE-2023-1720 is a vulnerability affecting Bitrix24 version 22.0.300. The issue lies in the lack of a mime type response header, which enables authenticated attackers to inject arbitrary JavaScript code in victims' browsers. With sufficient privileges, attackers may also be able to execute PHP code on the server by uploading a specially crafted HTML file via the /desktop_app/file.ajax.php?action=uploadfile endpoint.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Bitrix24

Affected Vendors

Bitrix24

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/sbc8-2
https://www.cve.org/CVERecord?id=CVE-2023-1720
https://nvd.nist.gov/vuln/detail/CVE-2023-1720

Back to Vulnerability Database