cbcvebase.
CVE-2020-7796
published 2020-02-18

CVE-2020-7796: Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-03-10
Exploited in the wild
EPSS
85.42%
99.7th percentile
Zimbra Collaboration Suite (ZCS) before 8.8.15 Patch 7 allows SSRF when WebEx zimlet is installed and zimlet JSP is enabled.

Affected

2 ranges
VendorProductVersion rangeFixed in
synacorzimbra_collaboration_suite< 8.8.158.8.15
synacorzimbra_collaboration_suite

Detection & IOCsextracted from sources · hover to see the quote

url/zimlet/com_zimbra_webex/httpPost.jsp?companyId=http://{{interactsh-url}}%23
url/service/error/sfdc_preauth.jsp?session=s&userid=1&server=http://{{interactsh-url}}%23.salesforce.com/
path/zimlet/com_zimbra_webex/httpPost.jsp
path/service/error/sfdc_preauth.jsp
  • Probe for SSRF via the WebEx zimlet endpoint by supplying an out-of-band callback URL in the `companyId` parameter; confirm exploitation by observing an HTTP interaction on the OAST/interactsh listener.
  • Probe for SSRF via the Salesforce pre-auth JSP endpoint by supplying an out-of-band callback URL in the `server` parameter; confirm exploitation by observing an HTTP interaction on the OAST/interactsh listener.
  • Both SSRF vectors are unauthenticated (no session/auth cookie required); any HTTP request to the vulnerable paths from an unauthenticated source should be treated as suspicious.
  • Use Shodan/FOFA/Google dorks to identify exposed Zimbra instances as potential targets: look for HTTP titles 'zimbra collaboration suite' or 'zimbra web client sign in'.
  • Exploitation requires the WebEx zimlet to be installed and zimlet JSP to be enabled; check for presence of `com_zimbra_webex` zimlet in the deployment as a precondition indicator.
  • ·The SSRF via `httpPost.jsp` is only exploitable when the `com_zimbra_webex` zimlet is installed AND zimlet JSP execution is enabled on the server; detections targeting this path will produce false negatives on deployments without the zimlet.
  • ·The `sfdc_preauth.jsp` vector (CWE-99 / CWE-918) is tracked under the same CVE but targets a different endpoint; detection rules must cover both paths independently.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.