Security Vulnerabilities fixed in Bitrix24 25-05-2020

description-logoDescription

Bitrix24 through 20.0.975 allows Server-Side Request Forgery (SSRF) via an intranet IP address in the services/main/ajax.php?action=attachUrlPreview url parameter. Versions before 20.0.0 allows Cross-Site Scripting (XSS) via items [ITEMS][ID] parameter.

affected-products-logoAffected Applications

Bitrix24