PT-2024-7262 · Microsoft+1 · Exchange Server+2
Oleg Labyntsev
+1
·
Published
2024-04-23
·
Updated
2024-11-05
·
CVE-2024-34891
CVSS v3.1
6.8
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
1C-Bitrix Bitrix24 version 23.300.100
Description
The issue is related to insufficiently protected credentials in DAV server settings, allowing remote administrators to read Exchange account passwords via an HTTP GET request. This can permit a remote attacker to gain access to authentication data from the Microsoft Exchange Server.
Recommendations
For 1C-Bitrix Bitrix24 version 23.300.100, consider restricting access to the DAV server settings to minimize the risk of exploitation. As a temporary workaround, avoid using the DAV server settings until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
Insufficiently Protected Credentials
Cleartext Storage of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Bitrix24
Bitrix
Exchange Server