CVE-2023-1717

Name of the Vulnerable Software and Affected Versions Bitrix24 version 22.0.300

Description The issue is related to prototype pollution in the bitrix/templates/bitrix24/components/bitrix/menu/left vertical/script.js component of Bitrix24. This allows remote attackers to execute arbitrary JavaScript code in the victim's browser and possibly execute arbitrary PHP code on the server if the victim has administrator privileges. The exploitation is done by polluting proto [tag] and proto [text].

Recommendations For Bitrix24 version 22.0.300, consider disabling the script.js component temporarily until a patch is available to prevent exploitation. Restrict access to the bitrix/templates/bitrix24/components/bitrix/menu/left vertical/script.js file to minimize the risk of exploitation. Avoid using the proto [tag] and proto [text] variables in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.