CVE-2020-24710: Gophish vulnerable to Server-Side Request Forgery

The vulnerability stemmed from unrestricted outbound network connections in multiple components. The commit adds a RestrictedDialer to three critical paths: 1) Website import functionality (controllers/api/import.go) which made arbitrary HTTP requests, 2) IMAP client connections (imap/imap.go), and 3) SMTP dialer setup (models/smtp.go). These functions previously used Go's default network dialer without IP validation, allowing access to internal endpoints like cloud metadata services (169.254.169.254). The vulnerability is confirmed by the patch patterns, CVE description, and Herolab's advisory showing these components were used for internal network probing.