Lam Jun Rong

**Name of the Vulnerable Software and Affected Versions** Vinyl Cache versions prior to 9.0.1 Varnish Cache versions prior to 9.0.3 **Description** A deficiency in HTTP/2 request parsing allows for backend request desync attacks, also known as request smuggling. This occurs when the frontend and backend servers disagree on where a request ends, allowing an attacker to "smuggle" a request. This can lead to cache poisoning, authentication bypass, information disclosure, and data manipulation. The issue is only present if HTTP/2 support is enabled by configuring the `feature` parameter to include `+http2`. By default, this support is disabled. **Recommendations** Update Vinyl Cache to version 9.0.1 or later. Update Varnish Cache to version 9.0.3 or later. As a temporary mitigation, ensure that HTTP/2 support is disabled by removing `+http2` from the `feature` parameter.

**Name of the Vulnerable Software and Affected Versions** (affected versions not specified) **Description** Successful exploitation of the issue could allow an attacker to execute arbitrary commands as root, potentially leading to the loss of confidentiality, integrity, availability, and full control of the access point. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: The issue allows an unauthenticated attacker to upload firmware through a public update page. This could potentially lead to backdoor installation or privilege escalation. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bitrix24 version 22.0.300 **Description** An improper file stream access issue exists in the `/desktop app/file.ajax.php?action=uploadfile` component of Bitrix24. This allows unauthenticated remote attackers to cause a denial-of-service condition by using a crafted `tmp url`. The issue is related to a loop with an inaccessible exit condition. The affected API endpoint is `/desktop app/file.ajax.php` with the `action` parameter set to `uploadfile`. The vulnerable parameter is `tmp url`. **Recommendations** Bitrix24 version 22.0.300: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bitrix24 version 22.0.300 **Description** The issue is related to prototype pollution in the bitrix/templates/bitrix24/components/bitrix/menu/left vertical/script.js component of Bitrix24. This allows remote attackers to execute arbitrary JavaScript code in the victim's browser and possibly execute arbitrary PHP code on the server if the victim has administrator privileges. The exploitation is done by polluting ` proto [tag]` and ` proto [text]`. **Recommendations** For Bitrix24 version 22.0.300, consider disabling the script.js component temporarily until a patch is available to prevent exploitation. Restrict access to the bitrix/templates/bitrix24/components/bitrix/menu/left vertical/script.js file to minimize the risk of exploitation. Avoid using the ` proto [tag]` and ` proto [text]` variables in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bitrix24 version 22.0.300 **Description** An unsafe variable extraction issue exists in the `bitrix/modules/main/classes/general/user options.php` file. This allows remote authenticated attackers to execute arbitrary code through two methods: appending arbitrary content to existing PHP files, or PHAR deserialization. The issue involves incorrect external control of the file name or path. Exploitation may allow an attacker to execute arbitrary code and elevate privileges. **Recommendations** Bitrix24 version 22.0.300: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bitrix24 versions prior to 22.0.300 **Description** An issue exists in the component `bitrix/modules/crm/lib/order/import/instagram.php` of Bitrix24 that stems from insufficient protection of web page structure. Exploitation of this issue could allow a remote attacker to execute arbitrary code by uploading a specially crafted ".htaccess" file. The issue allows for privilege escalation. The vulnerability is tracked as CVE-2023-1713. No information is available regarding the number of potentially affected devices worldwide or any real-world incidents where this issue has been exploited. The vulnerability involves insecure temporary file creation. The vulnerable file is located at `bitrix/modules/crm/lib/order/import/instagram.php`. **Recommendations** Disable or remove unused user accounts. Minimize user privileges. Utilize web application firewall (WAF) tools. Monitor server access logs for requests to '/upload/tmp/xxx/.htaccess' (where xxx is a 3-character alphanumeric string) or any request to '/upload/tmp/' via HTTP. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bitrix24 version 22.0.300 **Description** A logic error in the `mb strpos()` function allows attackers to bypass XSS sanitization by placing HTML tags at the beginning of the payload, potentially leading to a cross-site scripting (XSS) attack. This issue is related to the failure to neutralize scripts in attributes on web pages. **Recommendations** For Bitrix24 version 22.0.300, consider disabling the `mb strpos()` function until a patch is available to prevent exploitation of this issue. Restrict access to any modules or functions that utilize the `mb strpos()` function to minimize the risk of XSS attacks. Avoid using HTML tags at the beginning of any payload in the affected version to reduce the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bitrix24 version 22.0.300 **Description** The issue is related to the lack of a mime type response header in Bitrix24, which allows authenticated remote attackers to execute arbitrary JavaScript code in the victim's browser. If the victim has administrator privileges, it is also possible to execute arbitrary PHP code on the server. This can be achieved by uploading a crafted HTML file through the "/desktop app/file.ajax.php?action=uploadfile" endpoint. **Recommendations** For Bitrix24 version 22.0.300, as a temporary workaround, consider disabling the upload functionality through the "/desktop app/file.ajax.php?action=uploadfile" endpoint until a patch is available. Restrict access to the `file.ajax.php` module to minimize the risk of exploitation. Avoid using this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bitrix24 version 22.0.300 **Description** The issue in Bitrix24 is related to global variable extraction in the bitrix/modules/main/tools.php component, allowing unauthenticated remote attackers to enumerate attachments on the server and execute arbitrary JavaScript code in the victim's browser. If the victim has administrator privileges, it is also possible to execute arbitrary PHP code on the server. This is achieved via overwriting uninitialized variables. **Recommendations** For Bitrix24 version 22.0.300, consider disabling access to the bitrix/modules/main/tools.php component until a patch is available. Restricting the use of uninitialized variables in this component can also help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.