Researchers from Singapore have made an invaluable contribution to the security of Bitrix.
In the product Bitrix24, a popular cloud solution for automating business processes and interacting with customers, 8 critical vulnerabilities were recently discovered at once, which can lead to a whole range of malicious actions on the part of potential attackers.
The responsibility for identifying all security flaws lies with specialists from the Singapore-based company Star Labs, who published comprehensive reports on each vulnerability, describing in detail the principle of their operation and providing everything with a lot of technical explanations.
Below is a complete list of the detected shortcomings with a brief description, as well as links to the researchers reports:
Also, Star Labs experts provided a detailed chronology of interaction with 1C-Bitrix. According to the researchers reports, initial contact with the company's representatives was made in March 2023. After long negotiations and a series of patches, on November 1, the researchers finally posted the aforementioned reports, making information about the vulnerabilities publicly available.
According to the information on the product's website, all the vulnerabilities described above have been fixed in various versions of Bitrix24. Administrators are advised to update supported installations to the latest version to avoid problems associated with potential malicious impact from intruders.
In the product Bitrix24, a popular cloud solution for automating business processes and interacting with customers, 8 critical vulnerabilities were recently discovered at once, which can lead to a whole range of malicious actions on the part of potential attackers.
The responsibility for identifying all security flaws lies with specialists from the Singapore-based company Star Labs, who published comprehensive reports on each vulnerability, describing in detail the principle of their operation and providing everything with a lot of technical explanations.
Below is a complete list of the detected shortcomings with a brief description, as well as links to the researchers reports:
- CVE-2023-1713 (CVSS 3.1: 8.8 points). Vulnerability related to errors in the data import mechanism. Successful exploitation allows an internal attacker to increase their privileges in the system. Star Labs report.
- CVE-2023-1714 (CVSS 3.1: 8.8 points). Vulnerability related to errors in the data import mechanism. Successful exploitation allows an internal attacker to increase their privileges in the system. Star Labs report.
- CVE-2023-1715 (CVSS 3.1: 8.8 points). Vulnerability related to an error in processing input data. Successful exploitation allows an internal attacker to execute arbitrary code on systems of certain configurations and php version < 8.0. Star Labs report.
- CVE-2023-1716 (CVSS 3.1: 8.8 points). An Invoice Edit Page vulnerability that allows an attacker to conduct a cross-site scripting (XSS) attack. Star Labs report.
- CVE-2023-1717 (CVSS 3.1: 9.6 points). Vulnerability related to an error in processing input data. An attacker can generate a malicious link and export javascript prototype pollution in the victim's browser. Star Labs report.
- CVE-2023-1718 (CVSS 3.1: 7.5 points). A vulnerability that can lead to a "denial of service" for a specific system configuration. Star Labs report.
- CVE-2023-1719 (CVSS 3.1: 7.5 points). Vulnerability related to an error in processing input data. An attacker can gain access to user files. Star Labs report.
- CVE-2023-1720 (CVSS 3.1: 9.3 points). Vulnerability related to missing mime response header that allows the attacker to execute arbitrary JavaScript code. Star Labs report.
Also, Star Labs experts provided a detailed chronology of interaction with 1C-Bitrix. According to the researchers reports, initial contact with the company's representatives was made in March 2023. After long negotiations and a series of patches, on November 1, the researchers finally posted the aforementioned reports, making information about the vulnerabilities publicly available.
According to the information on the product's website, all the vulnerabilities described above have been fixed in various versions of Bitrix24. Administrators are advised to update supported installations to the latest version to avoid problems associated with potential malicious impact from intruders.
