Updated — Cve20207796 Zimbra Collaboration Suite Full

Exploitable by completely unauthenticated, remote threat actors.

The vulnerability is specifically linked to the WebEx Zimlet ( com_zimbra_webex ) when the Zimlet JSP functionality is enabled. cve20207796 zimbra collaboration suite full

The bug lives in Zimbra’s integrated module. Zimlets are add-ons used to extend Zimbra web client functionality. When the WebEx Zimlet is installed and its corresponding JavaServer Pages (JSP) handler is enabled, an endpoint is exposed that processes user-supplied URLs. Mechanism of Exploitation Zimlets are add-ons used to extend Zimbra web

to the latest patch level:

Zimbra Collaboration Suite (ZCS) versions prior to 8.8.15 Patch 7 . Technical Breakdown: The Mechanism of Exploitation The vulnerability carries a maximum

Zimbra allows extensions and custom handlers via Java servlets. One such servlet is the UserServlet (or ProxyServlet ), which is designed to fetch resources on behalf of a user. This servlet accepts parameters that specify the target URL or resource path.

The vulnerability carries a maximum , indicating low attack complexity and the absence of any authentication or user interaction requirements. The Root Cause