The vulnerability stems from the application's handling of user-supplied links, which are fetched by an internal Collector API using a headless browser. This process inadvertently allows JavaScript code within the fetched pages to execute fetch requests to internal web applications, facilitating SSRF attacks. Attackers can exploit this to perform port scanning, access internal web apps, and escalate the attack by exploiting vulnerabilities in the Collector API for arbitrary file deletion and accessing sensitive log files.

An attacker hosts a malicious HTML file containing JavaScript code designed to send requests to internal applications and then uploads the link to this file using the application's upload link feature. The server fetches and processes the link, executing the malicious JavaScript, which performs actions such as port scanning or interacting with the Collector API to delete files or read sensitive logs. The server's responses are then forwarded to the attacker's server.

Users with manager or admin roles who can upload links are able to exploit this vulnerability. However, the ultimate impact is on the security and integrity of the server hosting the application, as it allows for unauthorized actions such as file deletion and access to sensitive information.