Oleg Labyntsev

**Name of the Vulnerable Software and Affected Versions** 1C-Bitrix Bitrix24 version 23.300.100 **Description** The issue is related to insufficiently protected credentials in AD/LDAP server settings, allowing remote administrators to send AD/LDAP administrators' account passwords to an arbitrary server via HTTP POST request. This can enable a remote attacker to gain access to domain controller (AD) credentials. **Recommendations** For version 23.300.100, consider restricting access to the AD/LDAP server settings to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the vulnerable AD/LDAP configuration in the affected Bitrix24 version.

**Name of the Vulnerable Software and Affected Versions** 1C-Bitrix Bitrix24 version 23.300.100 **Description** The issue is related to insufficiently protected credentials in SMTP server settings, allowing remote administrators to read SMTP accounts passwords via an HTTP GET request. This can be exploited by a remote attacker to misuse SMTP settings and gain access to authentication data from the SMTP server. **Recommendations** For version 23.300.100, consider restricting access to the SMTP server settings to minimize the risk of exploitation. As a temporary workaround, avoid using the HTTP GET request to access SMTP account passwords until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 1C-Bitrix Bitrix24 version 23.300.100 **Description** The issue is related to insufficiently protected credentials in DAV server settings, allowing remote administrators to read Exchange account passwords via an HTTP GET request. This can permit a remote attacker to gain access to authentication data from the Microsoft Exchange Server. **Recommendations** For 1C-Bitrix Bitrix24 version 23.300.100, consider restricting access to the DAV server settings to minimize the risk of exploitation. As a temporary workaround, avoid using the DAV server settings until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** 1C-Bitrix Bitrix24 version 23.300.100 **Description** The issue concerns insufficiently protected credentials in SMTP server settings, allowing remote administrators to send SMTP account passwords to an arbitrary server via an HTTP POST request. This could enable a remote attacker to gain access to authentication data from the SMTP server. **Recommendations** For version 23.300.100, update to the latest patch version immediately and rotate compromised credentials. As a temporary workaround, consider restricting access to the SMTP server settings to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: 1C-Bitrix Bitrix24 version 23.300.100 Description: The issue is related to insufficiently protected credentials in the DAV server settings, allowing remote administrators to read proxy-server accounts passwords via an HTTP GET request. This exposes the credentials, potentially leading to unauthorized access. Recommendations: For version 23.300.100, consider restricting access to the DAV server settings to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using the proxy-server accounts passwords in the affected DAV server settings.