CVE-2023-1717: Bitrix24 Cross-Site Scripting (XSS) via Client-side Prototype Pollution
First published: Wed Nov 01 2023(Updated: )
Prototype pollution in bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js in Bitrix24 22.0.300 allows remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via polluting `__proto__[tag]` and `__proto__[text]`.
Credit: info@starlabs.sg
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bitrix24 Bitrix24 | =22.0.300 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-1717?
CVE-2023-1717 is a vulnerability in Bitrix24 that allows remote attackers to execute arbitrary JavaScript code in the victim's browser and possibly execute arbitrary PHP code on the server.
What is the severity of CVE-2023-1717?
CVE-2023-1717 has a severity rating of 9.6, which is considered critical.
How does CVE-2023-1717 work?
CVE-2023-1717 exploits prototype pollution in the bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js file to inject and execute arbitrary JavaScript code in the victim's browser.
How can an attacker exploit CVE-2023-1717?
An attacker can exploit CVE-2023-1717 by sending specially crafted requests to the vulnerable Bitrix24 application, allowing them to execute arbitrary JavaScript code in the victim's browser.
Is there a fix for CVE-2023-1717?
At the time of this writing, there is no known fix or patch available for CVE-2023-1717. It is recommended to update to a non-vulnerable version when it becomes available.
- collector/mitre-cve
- collector/nvd-api
- vendor/bitrix24
- canonical/bitrix24 bitrix24
- version/bitrix24 bitrix24/22.0.300