CVE-2023-1719

Name of the Vulnerable Software and Affected Versions Bitrix24 version 22.0.300

Description The issue in Bitrix24 is related to global variable extraction in the bitrix/modules/main/tools.php component, allowing unauthenticated remote attackers to enumerate attachments on the server and execute arbitrary JavaScript code in the victim's browser. If the victim has administrator privileges, it is also possible to execute arbitrary PHP code on the server. This is achieved via overwriting uninitialized variables.

Recommendations For Bitrix24 version 22.0.300, consider disabling access to the bitrix/modules/main/tools.php component until a patch is available. Restricting the use of uninitialized variables in this component can also help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.