CVE-2023-1720

Name of the Vulnerable Software and Affected Versions Bitrix24 version 22.0.300

Description The issue is related to the lack of a mime type response header in Bitrix24, which allows authenticated remote attackers to execute arbitrary JavaScript code in the victim's browser. If the victim has administrator privileges, it is also possible to execute arbitrary PHP code on the server. This can be achieved by uploading a crafted HTML file through the "/desktop app/file.ajax.php?action=uploadfile" endpoint.

Recommendations For Bitrix24 version 22.0.300, as a temporary workaround, consider disabling the upload functionality through the "/desktop app/file.ajax.php?action=uploadfile" endpoint until a patch is available. Restrict access to the file.ajax.php module to minimize the risk of exploitation. Avoid using this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.