CVE-2023-1715

Name of the Vulnerable Software and Affected Versions Bitrix24 version 22.0.300

Description A logic error in the mb strpos() function allows attackers to bypass XSS sanitization by placing HTML tags at the beginning of the payload, potentially leading to a cross-site scripting (XSS) attack. This issue is related to the failure to neutralize scripts in attributes on web pages.

Recommendations For Bitrix24 version 22.0.300, consider disabling the mb strpos() function until a patch is available to prevent exploitation of this issue. Restrict access to any modules or functions that utilize the mb strpos() function to minimize the risk of XSS attacks. Avoid using HTML tags at the beginning of any payload in the affected version to reduce the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.