CVE-2023-1714

Published: Nov 1, 2023Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Unsafe variable extraction in bitrix/modules/main/classes/general/user_options.php in Bitrix24 22.0.300 allows remote authenticated attackers to execute arbitrary code via (1) appending arbitrary content to existing PHP files or (2) PHAR deserialization.

Affected (1)

Products: Bitrix24: Bitrix24

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Bitrix24 Bitrix24	Version 22.0.300

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (2)

https://starlabs.sg/advisories/23/23-1714/

Source: info@starlabs.sg

ExploitThird Party Advisory

https://starlabs.sg/advisories/23/23-1714/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.