In the vote (aka "Polls, Votes") module prior to 21.0.100 of Bitrix Site Manager, a remote unauthenticated attacker can execute arbitrary code.
bitrix24 bitrix24