CVE-2023-1715 CRITICAL

CVE-2023-1715: Bitrix24 Stored Cross-Site Scripting (XSS) via Improper Input Neutralization on Invoice Edit Page (1 of 2)

Vendor Bitrix24
Product Bitrix24
Weakness CWE-79 · XSS
Published November 1, 2023
Last update September 5, 2024

CVSS base score

9.0/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A logic error when using mb_strpos() to check for potential XSS payload in Bitrix24 22.0.300 allows attackers to bypass XSS sanitisation via placing HTML tags at the begining of the payload.

Key dates

02Disclosure timeline

November 1, 2023 CVE published
September 5, 2024 Record updated

Related vulnerabilities

04Related CVE