Eight vulnerabilities were found in the IT service for business Bitrix24 – Kommersant
[ad_1]
The data bank of threats and information security of the Federal Service for Technical and Export Control (FTSEC) has registered eight vulnerabilities in the Bitrix24 business management service. Due to these vulnerabilities, it is theoretically possible to gain illegal access to protected information service.
In conversation with the publication RBC a representative of 1C-Bitrix stated that all cloud versions of Bitrix24 “have long been updated and protected from these vulnerabilities.” According to him, the latest announced vulnerabilities cannot be exploited by anonymous external visitors, but only by internal users with high privileges.
Information about problems with the Bitrix24 service appeared in the FTSEC database on November 1. According to the database, these vulnerabilities allow the execution of arbitrary JavaScript code, as well as cross-site scripting (XSS) attacks. In the database, this vulnerability is assigned a “critical danger level”. There is no information about their elimination in the database.
Aleksey Lukatsky, business consultant for information security at Positive Technologies, who was the first to draw attention to the emergence of vulnerabilities in the database, notes that FSTEC is responsible for the technical protection of confidential information of government agencies and owners of critical information infrastructure. Critical vulnerabilities must be fixed within 24 hours, less critical ones – from seven to 30 days.
The Bitrix24 service belongs to the 1C-Bitrix company, which develops management systems for web projects and corporate portals. According to information from the IT marketplace Market.CNews, Bitrix24 is the leader in the rating of CRM systems for medium and small businesses in 2023. The portal provides access to corporate chat, disk, calendar, groups and other tools, as well as a sales and customer communications management system (CRM), and a contact center. In 2021, 10 million companies were registered on the service.
[ad_2]
Source link
