First published: Wed Nov 01 2023(Updated: )
Prototype pollution in bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js in Bitrix24 22.0.300 allows remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via polluting `__proto__[tag]` and `__proto__[text]`.
Credit: info@starlabs.sg
Affected Software | Affected Version | How to fix |
---|---|---|
Bitrix24 Bitrix24 | =22.0.300 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-1717 is a vulnerability in Bitrix24 that allows remote attackers to execute arbitrary JavaScript code in the victim's browser and possibly execute arbitrary PHP code on the server.
CVE-2023-1717 has a severity rating of 9.6, which is considered critical.
CVE-2023-1717 exploits prototype pollution in the bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js file to inject and execute arbitrary JavaScript code in the victim's browser.
An attacker can exploit CVE-2023-1717 by sending specially crafted requests to the vulnerable Bitrix24 application, allowing them to execute arbitrary JavaScript code in the victim's browser.
At the time of this writing, there is no known fix or patch available for CVE-2023-1717. It is recommended to update to a non-vulnerable version when it becomes available.