CVE-2023-1716 CRITICAL

CVE-2023-1716: Bitrix24 Stored Cross-Site Scripting (XSS) via Improper Input Neutralization on Invoice Edit Page (2 of 2)

Vendor Bitrix24

Product Bitrix24

Weakness CWE-79 · XSS

Published November 1, 2023

Last update September 5, 2024

View on NVD All CVEs

CVSS base score

9.0/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Cross-site scripting (XSS) vulnerability in Invoice Edit Page in Bitrix24 22.0.300 allows attackers to execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege.

Key dates

02Disclosure timeline

November 1, 2023 CVE published

September 5, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2023-1716 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2023-1716: Bitrix24 Stored Cross-Site Scripting (XSS) via Improper Input Neutralization on Invoice Edit Page (2 of 2)

01Description

02Disclosure timeline

03References

04Related CVE