CVE-2022-43959

CVSS v3.1

4.9

Medium

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions 1C-Bitrix Bitrix24 versions through 22.200.200

Description The issue is related to insufficient protection of registration data in the AD/LDAP server settings, allowing a remote attacker to gain unauthorized access to protected information. This can be achieved by exploiting the vulnerability through the /bitrix/admin/ldap server edit.php endpoint, potentially by reading the source code to discover an AD/LDAP administrative password.

Recommendations For 1C-Bitrix Bitrix24 versions through 22.200.200, consider restricting access to the /bitrix/admin/ldap server edit.php endpoint until a patch is available. As a temporary workaround, limit the ability of remote administrators to read the source code of this endpoint to minimize the risk of exploitation.

Exploit

Fix

Insufficiently Protected Credentials

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522CWE-200

Related Identifiers

BDU:2023-01604

CVE-2022-43959

Affected Products

Bitrix24

Bitrix

CVE-2022-43959

Weakness Enumeration

Related Identifiers

Affected Products

References · 10