Vulnerabilities > CVE-2023-1717 - Unspecified vulnerability in Bitrix24 22.0.300

CVSS 9.6 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

bitrix24

critical

NVD

Published: 2023-11-01

Updated: 2023-11-09

Summary

Prototype pollution in bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js in Bitrix24 22.0.300 allows remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via polluting `__proto__[tag]` and `__proto__[text]`.

Vulnerable Configurations

Part	Description	Count
Application	Bitrix24 Bitrix24 Bitrix24 22.0.300	1

References

https://starlabs.sg/advisories/23/23-1717/