Threat Encyclopedia

Critical Server-Side Request Forgery and Cross-Site Scripting Vulnerabilities for Bitrix24

description-logoDescription

Bitrix24 through 20.0.975 allows Server-Side Request Forgery (SSRF) via an intranet IP address in the services/main/ajax.php?action=attachUrlPreview url parameter. Versions before 20.0.0 allows Cross-Site Scripting (XSS) via items [ITEMS][ID] parameter.

affected-products-logoAffected Products

Bitrix24