We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-1716

Bitrix24 Stored Cross-Site Scripting (XSS) via Improper Input Neutralization on Invoice Edit Page (2 of 2)



AssignerSTAR_Labs
Reserved2023-03-30
Published2023-11-01
Updated2024-09-05

Description

Cross-site scripting (XSS) vulnerability in Invoice Edit Page in Bitrix24 22.0.300 allows attackers to execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege.



CRITICAL: 9.0CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
0x4002e0b270

Any version
affected

Credits

Lam Jun Rong & Li Jiantao of STAR Labs SG Pte. Ltd. (@starlabs_sg) 0x4002e0b2d0

References

https://starlabs.sg/advisories/23/23-1716/ third-party-advisory

cve.org CVE-2023-1716

nvd.nist.gov CVE-2023-1716

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-1716
Subscribe to our newsletter to learn more about our work.