CVE-2023-1719: Bitrix24 Insecure Global Variable Extraction

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2023-1719

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Bitrix24 Insecure Global Variable Extraction

Source: NVD (National Vulnerability Database)

Vulnerability Description

Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via overwriting uninitialised variables.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

初始化不恰当

Source: NVD (National Vulnerability Database)

Vulnerability Title

Bitrix24 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Bitrix24是美国Bitrix公司的一套企业社交平台。该平台包括在线通讯、日历管理和CRM（客户关系管理）等功能。 Bitrix24 22.0.300版本存在安全漏洞，该漏洞源于文件/main/tools.php存在安全漏洞。攻击者可利用该漏洞枚举服务器上的附件，或在受害者的浏览器中执行任意JavaScript代码。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Bitrix24	Bitrix24	0 ~ 22.0.300	-

II. Public POCs for CVE-2023-1719

#	POC Description	Source Link	Shenlong Link
1	Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via overwriting uninitialised variables.	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-1719.yaml	POC Details

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2023-1719

Please Login to view more intelligence information

https://starlabs.sg/advisories/23/23-1719/third-party-advisory
https://nvd.nist.gov/vuln/detail/CVE-2023-1719

IV. Related Vulnerabilities

Same product: Bitrix24

Same vendor: Bitrix24

Same weakness: CWE-665

V. Comments for CVE-2023-1719

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

I. Basic Information for CVE-2023-1719

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2023-1719

III. Intelligence Information for CVE-2023-1719

IV. Related Vulnerabilities

V. Comments for CVE-2023-1719

Leave a comment