CVE-2023-1714

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Bitrix24 version 22.0.300

Description An unsafe variable extraction issue exists in the bitrix/modules/main/classes/general/user options.php file. This allows remote authenticated attackers to execute arbitrary code through two methods: appending arbitrary content to existing PHP files, or PHAR deserialization. The issue involves incorrect external control of the file name or path. Exploitation may allow an attacker to execute arbitrary code and elevate privileges.

Recommendations Bitrix24 version 22.0.300: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-73

Related Identifiers

BDU:2023-07457

CVE-2023-1714

Affected Products

Bitrix

Bitrix24

CVE-2023-1714

Weakness Enumeration

Related Identifiers

Affected Products

References · 14