Lam Jun Rong

**Nome do Software Vulnerável e Versões Afetadas** Vinyl Cache versões anteriores a 9.0.1 Varnish Cache versões anteriores a 9.0.3 **Description** Uma deficiência na análise de requisições HTTP/2 permite ataques de dessincronização de requisições de backend, também conhecidos como request smuggling. Isso ocorre quando os servidores de frontend e backend divergem sobre onde termina uma requisição, permitindo que um invasor "contrabandeie" uma requisição. Isso pode levar ao envenenamento de cache, bypass de autenticação, divulgação de informações e manipulação de dados. O problema só existe se o suporte ao HTTP/2 estiver habilitado ao configurar o parâmetro `feature` para conter `+http2`. Por padrão, esse suporte está desativado. **Recommendations** Atualize o Vinyl Cache para a versão 9.0.1 ou posterior. Atualize o Varnish Cache para a versão 9.0.3 ou posterior. Como mitigação temporária, certifique-se de que o suporte ao HTTP/2 esteja desativado removendo `+http2` do parâmetro `feature`.

**Nome do Software Vulnerável e Versões Afetadas** (versões afetadas não especificadas) **Descrição** A exploração bem-sucedida desta falha pode permitir que um atacante execute comandos arbitrários como root, potencialmente levando à perda de confidencialidade, integridade, disponibilidade e ao controle total do ponto de acesso. **Recomendações** No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

Nome do Software Vulnerável e Versões Afetadas: O nome do produto não pode ser determinado. Descrição: A vulnerabilidade permite que um atacante não autenticado faça upload de firmware por meio de uma página pública de atualização. Isso pode potencialmente levar à instalação de backdoor ou escalonamento de privilégios. Recomendações: No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Bitrix24 version 22.0.300 **Description** An improper file stream access issue exists in the `/desktop app/file.ajax.php?action=uploadfile` component of Bitrix24. This allows unauthenticated remote attackers to cause a denial-of-service condition by using a crafted `tmp url`. The issue is related to a loop with an inaccessible exit condition. The affected API endpoint is `/desktop app/file.ajax.php` with the `action` parameter set to `uploadfile`. The vulnerable parameter is `tmp url`. **Recommendations** Bitrix24 version 22.0.300: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bitrix24 version 22.0.300 **Description** The issue is related to prototype pollution in the bitrix/templates/bitrix24/components/bitrix/menu/left vertical/script.js component of Bitrix24. This allows remote attackers to execute arbitrary JavaScript code in the victim's browser and possibly execute arbitrary PHP code on the server if the victim has administrator privileges. The exploitation is done by polluting ` proto [tag]` and ` proto [text]`. **Recommendations** For Bitrix24 version 22.0.300, consider disabling the script.js component temporarily until a patch is available to prevent exploitation. Restrict access to the bitrix/templates/bitrix24/components/bitrix/menu/left vertical/script.js file to minimize the risk of exploitation. Avoid using the ` proto [tag]` and ` proto [text]` variables in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bitrix24 version 22.0.300 **Description** An unsafe variable extraction issue exists in the `bitrix/modules/main/classes/general/user options.php` file. This allows remote authenticated attackers to execute arbitrary code through two methods: appending arbitrary content to existing PHP files, or PHAR deserialization. The issue involves incorrect external control of the file name or path. Exploitation may allow an attacker to execute arbitrary code and elevate privileges. **Recommendations** Bitrix24 version 22.0.300: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bitrix24 versions prior to 22.0.300 **Description** An issue exists in the component `bitrix/modules/crm/lib/order/import/instagram.php` of Bitrix24 that stems from insufficient protection of web page structure. Exploitation of this issue could allow a remote attacker to execute arbitrary code by uploading a specially crafted ".htaccess" file. The issue allows for privilege escalation. The vulnerability is tracked as CVE-2023-1713. No information is available regarding the number of potentially affected devices worldwide or any real-world incidents where this issue has been exploited. The vulnerability involves insecure temporary file creation. The vulnerable file is located at `bitrix/modules/crm/lib/order/import/instagram.php`. **Recommendations** Disable or remove unused user accounts. Minimize user privileges. Utilize web application firewall (WAF) tools. Monitor server access logs for requests to '/upload/tmp/xxx/.htaccess' (where xxx is a 3-character alphanumeric string) or any request to '/upload/tmp/' via HTTP. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bitrix24 version 22.0.300 **Description** A logic error in the `mb strpos()` function allows attackers to bypass XSS sanitization by placing HTML tags at the beginning of the payload, potentially leading to a cross-site scripting (XSS) attack. This issue is related to the failure to neutralize scripts in attributes on web pages. **Recommendations** For Bitrix24 version 22.0.300, consider disabling the `mb strpos()` function until a patch is available to prevent exploitation of this issue. Restrict access to any modules or functions that utilize the `mb strpos()` function to minimize the risk of XSS attacks. Avoid using HTML tags at the beginning of any payload in the affected version to reduce the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bitrix24 version 22.0.300 **Description** The issue is related to the lack of a mime type response header in Bitrix24, which allows authenticated remote attackers to execute arbitrary JavaScript code in the victim's browser. If the victim has administrator privileges, it is also possible to execute arbitrary PHP code on the server. This can be achieved by uploading a crafted HTML file through the "/desktop app/file.ajax.php?action=uploadfile" endpoint. **Recommendations** For Bitrix24 version 22.0.300, as a temporary workaround, consider disabling the upload functionality through the "/desktop app/file.ajax.php?action=uploadfile" endpoint until a patch is available. Restrict access to the `file.ajax.php` module to minimize the risk of exploitation. Avoid using this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bitrix24 version 22.0.300 **Description** The issue in Bitrix24 is related to global variable extraction in the bitrix/modules/main/tools.php component, allowing unauthenticated remote attackers to enumerate attachments on the server and execute arbitrary JavaScript code in the victim's browser. If the victim has administrator privileges, it is also possible to execute arbitrary PHP code on the server. This is achieved via overwriting uninitialized variables. **Recommendations** For Bitrix24 version 22.0.300, consider disabling access to the bitrix/modules/main/tools.php component until a patch is available. Restricting the use of uninitialized variables in this component can also help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.