PT-2020-13567 · Bitrix+1 · Bitrix24+1

Mariusz Poplawski

Published

2020-06-24

Updated

2025-11-15

CVE-2020-13484

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Bitrix24 versions prior to 20.0.976

Description The issue allows for Server-Side Request Forgery (SSRF) via an intranet IP address in the "services/main/ajax.php?action=attachUrlPreview" API endpoint, specifically through the url parameter. This occurs when the destination URL hosts an HTML document containing a '<meta name="og:image" content="' tag followed by an intranet URL.

Recommendations For Bitrix24 versions prior to 20.0.976, as a temporary workaround, consider restricting access to the "services/main/ajax.php?action=attachUrlPreview" API endpoint until a patch is available. Avoid using the url parameter in this endpoint with potentially malicious URLs.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2020-13484

Affected Products

Bitrix

Bitrix24

PT-2020-13567 · Bitrix+1 · Bitrix24+1

CVE-2020-13484

Weakness Enumeration

Related Identifiers

Affected Products

References · 3