CVE-2020-13483
published 2020-06-24CVE-2020-13483: The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.
PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.51%
90.3th percentile
The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bitrix24 | bitrix24 | <= 20.0.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=*/%29%7D%29;function+__MobileAppList()%7Balert(1)%7D//>↗
url/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.domain)%3B%7D%3B//%3C/div%3E
- →Shodan/FOFA fingerprint for Bitrix24 instances: search for HTTP responses containing '/bitrix/' in the HTML body
- →Vulnerable endpoint responds with HTTP 200 and Content-Type text/html; presence of both XSS payload echo and Bitrix-specific JS identifiers confirms exploitation
- ·The WAF bypass XSS only works up to and including Bitrix24 version 20.0.0; patched versions are not affected ↗
- ·The nuclei template uses stop-at-first-match, meaning only the first successful payload probe is confirmed; both GET request variants should be tested independently for full coverage
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wjr8-v45h-rfpv: The Web Application Firewall in Bitrix24 through 20
ghsa_unreviewed·2022-05-24
CVE-2020-13483 [MEDIUM] GHSA-wjr8-v45h-rfpv: The Web Application Firewall in Bitrix24 through 20
The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.
VulnCheck
bitrix24 bitrix24 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2020·CVSS 6.1
CVE-2020-13483 [MEDIUM] bitrix24 bitrix24 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
bitrix24 bitrix24 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The Web Application Firewall in Bitrix24 through 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.
Affected: bitrix24 bitrix24
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-15&host_type=src&vulnerability=cve-2020-13483; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-23&host_type=src&vulnerability=cve-2020-13483; https://dashboard.shadowserver.org/statistics/honeypot/vulner
No detection rules found.
Nuclei
Bitrix24 <=20.0.0 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2020-13483 [MEDIUM] Bitrix24 <=20.0.0 - Cross-Site Scripting
Bitrix24 20.0.0) to mitigate this vulnerability.
reference:
- https://gist.github.com/mariuszpoplwski/ca6258cf00c723184ebd2228ba81f558
- https://twitter.com/brutelogic/status/1483073170827628547
- https://nvd.nist.gov/vuln/detail/CVE-2020-13483
- https://github.com/afinepl/research
- https://github.com/ARPSyndicate/cvemon
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2020-13483
cwe-id: CWE-79
epss-score: 0.26042
epss-percentile: 0.96286
cpe: cpe:2.3:a:bitrix24:bitrix24:*:*:*:*:*:*:*:*
metadata:
max-request: 2
vendor: bitrix24
product: bitrix24
shodan-query: http.html:"/bitrix/"
fofa-query: body="/bitrix/"
tags: cve2020,cve,xss,bitrix,bitrix24,vkev,vuln
http:
- method: GET
path:
- '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls. We highlight vulnerabilities ranked medium severity and above that were newly published from May-July 2021 in order to raise awareness of their active exploits in the wild. We then draw conclusions about the most commonly exploited vulnerabilities we observed attackers using, as well as the severity, category and
Unit42
Network Security Trends: May-July 2021
blogs_unit42·2021-09-17
Network Security Trends: May-July 2021
Threat Research Center
Trend Reports
Vulnerabilities
## Network Security Trends: May-July 2021
Yue Guan
Lei Xu
Published: September 17, 2021
Malware
Trend Reports
Vulnerabilities
Attack analysis
Exploit
Exploit in the wild
Network security trends
## Executive Summary
Unit 42 researchers continue to observe network security trends, tracking how cybercriminals take advantage of vulnerabilities in the real world. The following sections present our analysis of the most recently published vulnerabilities, including their severity and category distribution. Additionally, we provide insight into how the vulnerabilities are exploited in the wild based on real-world data collected from Palo Alto Networks Next-Generation Firewalls . We highlight vulnerabilities ranked medium sever
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2020-06-24
Published
Exploited in the wild