CVE-2023-1719

Exploit

EPSS 86.13%
Veröffentlicht 01.11.2023 10:15:09
Zuletzt bearbeitet 21.11.2024 07:39:45
Quelle info@starlabs.sg
CVE-Watchlists
Login
Unerledigt
Login

Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via overwriting uninitialised variables.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Bitrix24 ≫ Bitrix24 Version22.0.300

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	86.13%	0.994

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
info@starlabs.sg	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-665 Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

https://starlabs.sg/advisories/23/23-1719/

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-1719

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-1719

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-1719

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-1719