CVE-2024-34882: 
Homebrew vulnerability analysis and mitigation

Insufficiently protected credentials in SMTP server settings in 1C-Bitrix Bitrix24 23.300.100 allows remote administrators to send SMTP account passwords to an arbitrary server via HTTP POST request. The vulnerability was assigned CVE-2024-34882 and has been given a CVSS v3.1 base score of 4.9 (Medium) by NIST and 6.8 (Medium) by CISA-ADP (NVD).

The vulnerability is classified as CWE-522 (Insufficiently Protected Credentials). The issue allows remote administrators to exploit the SMTP settings functionality to obtain SMTP passwords in clear text. The exploitation involves accessing the Administration section's SMTP settings, selecting a server, clicking 'Change', and using developer tools to locate the password field in the source code (BitrixVulns).

The vulnerability enables remote administrators to access and potentially expose SMTP account passwords, which could lead to unauthorized access to email services and potential misuse of email infrastructure. The severity is rated as medium due to the requirement of administrative privileges for exploitation (NVD).

Currently, there is no official fix available for this vulnerability. The recommended mitigation strategy is to implement least privilege credentials and differentiate access rights based on the role model (BitrixVulns).