Home

Description

A logic error when using mb_strpos() to check for potential XSS payload in Bitrix24 22.0.300 allows attackers to bypass XSS sanitisation via placing HTML tags at the begining of the payload.

PUBLISHED Reserved 2023-03-30 | Published 2023-11-01 | Updated 2024-09-05 | Assigner STAR_Labs




CRITICAL: 9.0CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

Default status
unaffected

Any version
affected

Credits

Lam Jun Rong & Li Jiantao of STAR Labs SG Pte. Ltd. (@starlabs_sg) finder

References

starlabs.sg/advisories/23/23-1715/ third-party-advisory

starlabs.sg/advisories/23/23-1715/ third-party-advisory

cve.org (CVE-2023-1715)

nvd.nist.gov (CVE-2023-1715)

Download JSON