← back
CVE-2020-7796

CVE-2020-7796

CVSS 9.8 CRITICALEPSS 85.4%● KEVCWE-918
In short

Zimbra email server versions before 8.8.15 Patch 7 have a flaw in the WebEx plugin that allows attackers to make the server connect to internal or external systems on their behalf, potentially exposing sensitive data or compromising internal infrastructure.

Technical detail

Server-Side Request Forgery (SSRF) vulnerability in Zimbra Collaboration Suite WebEx zimlet when JSP execution is enabled. Attackers can craft requests to the zimlet endpoint to force the server to make HTTP requests to arbitrary internal or external targets, bypassing network controls and potentially accessing restricted resources or metadata services.

Summary generated and translated by AI from the official description.
Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P7https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-7796