CVE-2023-1717 CRITICAL

CVE-2023-1717: Bitrix24 Cross-Site Scripting (XSS) via Client-side Prototype Pollution

Vendor Bitrix24
Product Bitrix24
Weakness CWE-79 · XSS
Published November 1, 2023
Last update September 5, 2024

CVSS base score

9.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

Prototype pollution in bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js in Bitrix24 22.0.300 allows remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via polluting `__proto__[tag]` and `__proto__[text]`.

Key dates

02Disclosure timeline

November 1, 2023 CVE published
September 5, 2024 Record updated