Cve20207796 Zimbra Collaboration Suite !new! Full (2026)

: This can lead to unauthorized access to sensitive internal data or administrative interfaces. Arbitrary Requests

By providing a URL to an internal or external resource (e.g., http://169.254.169.254/latest/meta-data/ ), an attacker could force the Zimbra server to retrieve that resource, potentially exposing sensitive internal information such as cloud instance metadata. cve20207796 zimbra collaboration suite full

Attackers can use the compromised trusted domain to send internal phishing emails to other employees. Affected Versions : This can lead to unauthorized access to

An unauthenticated remote attacker can construct a specific HTTP request pointing to an internal IP address or external server. Parses WebEx Zimlet JSP file without validation ▼

[Attacker] │ │ 1. Sends malicious payload via HTTP request ▼ [Zimbra External Webmail Interface] │ │ 2. Parses WebEx Zimlet JSP file without validation ▼ [Internal Network / Protected Resources] (Firewall Bypassed) The Vulnerable Component

The core of CVE-2020-7796 lies in the improper validation of user input within the "mboximport" functionality.