cbcvebase.
CVE-2023-1719
published 2023-11-01

CVE-2023-1719: Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.97%
91.1th percentile
Global variable extraction in bitrix/modules/main/tools.php in Bitrix24 22.0.300 allows unauthenticated remote attackers to (1) enumerate attachments on the server and (2) execute arbitrary JavaScript code in the victim's browser, and possibly execute arbitrary PHP code on the server if the victim has administrator privilege, via overwriting uninitialised variables.

Affected

2 ranges
VendorProductVersion rangeFixed in
bitrix24bitrix24<= 22.0.300
bitrix24bitrix24

Detection & IOCsextracted from sources · hover to see the quote

path/bitrix/modules/main/tools.php
url/bitrix/components/bitrix/socialnetwork.events_dyn/get_message_2.php?log_cnt=
path/bitrix/components/bitrix/socialnetwork.events_dyn/get_message_2.php
  • HTTP GET request to /bitrix/components/bitrix/socialnetwork.events_dyn/get_message_2.php with a log_cnt parameter; a vulnerable response returns HTTP 200 with Content-Type text/html and a body containing the string 'LOG_CNT':
  • Shodan/FOFA fingerprinting: hosts serving content containing '/bitrix/' in the HTML body are candidate Bitrix24 instances to probe for this vulnerability.
  • The vulnerability is exploitable by unauthenticated attackers (no session/auth required) via overwriting uninitialised variables in tools.php, enabling XSS and potential RCE if the victim holds administrator privilege.
  • ·Affected version is specifically Bitrix24 22.0.300; the Nuclei template targets this exact version via CPE cpe:2.3:a:bitrix24:bitrix24:22.0.300.
  • ·PHP code execution is conditional — it only occurs if the victim browsing the malicious payload holds administrator privilege on the Bitrix24 instance.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.