CVE-2015-8357

Name of the Vulnerable Software and Affected Versions 1С-Битрикс versions prior to bitrix.xscan module 1.0.4

Description The issue exists due to insufficient restriction of the directory path name in the admin/bitrix.xscan worker.php module of the 1С-Битрикс web project management system. Exploitation of this issue may allow a remote attacker to rename arbitrary files, obtain sensitive information, or cause a denial of service by adding ".." symbols to the file parameter.

Recommendations For 1С-Битрикс versions prior to bitrix.xscan module 1.0.4, update the bitrix.xscan module to version 1.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin/bitrix.xscan worker.php module to minimize the risk of exploitation. Avoid using the file parameter in the affected API endpoint until the issue is resolved.