Unrated severityNVD Advisory· Published Nov 1, 2023· Updated Sep 5, 2024
Bitrix24 Stored Cross-Site Scripting (XSS) via File Upload
CVE-2023-1720
Description
Lack of mime type response header in Bitrix24 22.0.300 allows authenticated remote attackers to execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via uploading a crafted HTML file through /desktop_app/file.ajax.php?action=uploadfile.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- starlabs.sg/advisories/23/23-1720/mitrethird-party-advisory
News mentions
0No linked articles in our index yet.