The exploitation of this vulnerability is relatively straightforward, making it a prime target for threat actors. The attack chain typically proceeds as follows:
Look for the following in Zimbra logs (/opt/zimbra/log/access_log.nginx*, mailbox.log): cve20207796 zimbra collaboration suite full
GET /service/home/~/?auth=co&fmt=riched&user=INBOX%22%3E%3Cscript%3E
POST /service/proxy?target=https://attacker.com/
Abnormal Calendar invite with HTML payload in DESCRIPTION field
Also monitor for:
CVE ID: CVE-2020-7796 Severity: High (CVSS 7.5 – 8.2 depending on configuration) Affected Software: Zimbra Collaboration Suite (ZCS) versions prior to 8.8.15.patch7 and 8.8.12.patch11. Vulnerability Type: Unrestricted Upload of File with Dangerous Type (Remote Code Execution) Also monitor for: CVE ID: CVE-2020-7796 Severity: High