CVE-2022-43959

Name of the Vulnerable Software and Affected Versions 1C-Bitrix Bitrix24 versions through 22.200.200

Description The issue is related to insufficient protection of registration data in the AD/LDAP server settings, allowing a remote attacker to gain unauthorized access to protected information. This can be achieved by exploiting the vulnerability through the /bitrix/admin/ldap server edit.php endpoint, potentially by reading the source code to discover an AD/LDAP administrative password.

Recommendations For 1C-Bitrix Bitrix24 versions through 22.200.200, consider restricting access to the /bitrix/admin/ldap server edit.php endpoint until a patch is available. As a temporary workaround, limit the ability of remote administrators to read the source code of this endpoint to minimize the risk of exploitation.