CVE-2017-20122

Name of the Vulnerable Software and Affected Versions Bitrix Site Manager version 12.06.2015

Description A problematic vulnerability was found in the Contact Form component of Bitrix Site Manager. The issue arises from the manipulation of the text argument with a malicious input, such as <img src="http://1"; on onerror="$(’p').text(’Hacked’)" />, leading to basic cross-site scripting. This attack can be launched remotely. The exploit has been publicly disclosed and may be used.

Recommendations For Bitrix Site Manager version 12.06.2015, consider disabling the Contact Form component until a patch is available to prevent exploitation. Restrict access to the component to minimize the risk of cross-site scripting attacks. Avoid using the text argument in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.