Bypassing XSS Sanitization in Bitrix24 22.0.300 via Logic Error in mb_strpos()

CVE-2023-1715 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

A logic error when using mb_strpos() to check for potential XSS payload in Bitrix24 22.0.300 allows attackers to bypass XSS sanitisation via placing HTML tags at the begining of the payload.

Learn more about our Web Application Penetration Testing UK.