» admin

CVE-2023-42650

Posted on 2023년 11월 1일2023년 11월 1일 by admin

CVE-2023-42650

In engineermode, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed

Source: CVE-2023-42650

CVE-2023-42646

Posted on 2023년 11월 1일2023년 11월 1일 by admin

CVE-2023-42646

In Ifaa service, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed

Source: CVE-2023-42646

CVE-2023-42648

Posted on 2023년 11월 1일2023년 11월 1일 by admin

CVE-2023-42648

In engineermode, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed

Source: CVE-2023-42648

CVE-2023-42645

Posted on 2023년 11월 1일2023년 11월 1일 by admin

CVE-2023-42645

In sim service, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed

Source: CVE-2023-42645

CVE-2023-1715

Posted on 2023년 11월 1일2023년 11월 1일 by admin

CVE-2023-1715

A logic error when using mb_strpos() to check for potential XSS payload in Bitrix24 22.0.300 allows attackers to bypass XSS sanitisation via placing HTML tags at the begining of the payload.

Source: CVE-2023-1715

CVE-2023-42640

Posted on 2023년 11월 1일2023년 11월 1일 by admin

CVE-2023-42640

In validationtools, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed

Source: CVE-2023-42640

CVE-2023-1720

Posted on 2023년 11월 1일2023년 11월 1일 by admin

CVE-2023-1720

Lack of mime type response header in Bitrix24 22.0.300 allows authenticated remote attackers to execute arbitrary JavaScript code in the victim’s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via uploading a crafted HTML file through /desktop_app/file.ajax.php?action=uploadfile.

Source: CVE-2023-1720

CVE-2023-1714

Posted on 2023년 11월 1일2023년 11월 1일 by admin

CVE-2023-1714

Unsafe variable extraction in bitrix/modules/main/classes/general/user_options.php in Bitrix24 22.0.300 allows remote authenticated attackers to execute arbitrary code via (1) appending arbitrary content to existing PHP files or (2) PHAR deserialization.

Source: CVE-2023-1714

CVE-2023-1717

Posted on 2023년 11월 1일2023년 11월 1일 by admin

CVE-2023-1717

Prototype pollution in bitrix/templates/bitrix24/components/bitrix/menu/left_vertical/script.js in Bitrix24 22.0.300 allows remote attackers to execute arbitrary JavaScript code in the victimâ€™s browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via polluting `__proto__[tag]` and `__proto__[text]`.

Source: CVE-2023-1717

CVE-2023-42631

Posted on 2023년 11월 1일2023년 11월 1일 by admin

CVE-2023-42631

In validationtools, there is a possible missing permission check. This could lead to local information disclosure with no additional execution privileges needed

Source: CVE-2023-42631