Trust Center Security, Privacy, Blogs Additional Resources

Säkerhetsbulletiner

Severity All
  • Severity All
  • Critical
  • High
  • Medium
  • Low
CVE All
  • CVE All
  • CVE-2024-24691
  • CVE-2024-24690
  • CVE-2024-24699
  • CVE-2024-24698
  • CVE-2024-24697
  • CVE-2024-24696
  • CVE-2024-24695
  • CVE-2023-49647
  • CVE-2023-49646
  • CVE-2023-43586
  • CVE-2023-43585
  • CVE-2023-43583
  • CVE-2023-43582
  • CVE-2023-43591
  • CVE-2023-43590
  • CVE-2023-43588
  • CVE-2023-39199
  • CVE-2023-39206
  • CVE-2023-39205
  • CVE-2023-39204
  • CVE-2023-39203
  • CVE-2023-39202
  • CVE-2023-39201
  • CVE-2023-39208
  • CVE-2023-39215
  • CVE-2023-39209
  • CVE-2023-39214
  • CVE-2023-39213
  • CVE-2023-39212
  • CVE-2023-39211
  • CVE-2023-39210
  • CVE-2023-39218
  • CVE-2023-39217
  • CVE-2023-39216
  • CVE-2023-36535
  • CVE-2023-36534
  • CVE-2023-36533
  • CVE-2023-36532
  • CVE-2023-36541
  • CVE-2023-36540
  • CVE-2023-36538
  • CVE-2023-36537
  • CVE-2023-36536
  • CVE-2023-34119
  • CVE-2023-34118
  • CVE-2023-34117
  • CVE-2023-34116
  • CVE-2023-36539
  • CVE-2023-34115
  • CVE-2023-34113
  • CVE-2023-34122
  • CVE-2023-34121
  • CVE-2023-34120
  • CVE-2023-28603
  • CVE-2023-28602
  • CVE-2023-28601
  • CVE-2023-28600
  • CVE-2023-28599
  • CVE-2023-28598
  • CVE-2023-28597
  • CVE-2023-28596
  • CVE-2023-22883
  • CVE-2023-22881
    CVE-2023-22882
  • CVE-2023-22880
  • CVE-2022-36930
  • CVE-2022-36929
  • CVE-2022-36928
  • CVE-2022-36926
    CVE-2022-36927
  • CVE-2022-36925
  • CVE-2022-36924
  • CVE-2022-28768
  • CVE-2022-28760
  • CVE-2022-28758
    CVE-2022-28759
  • CVE-2022-28750
  • CVE-2022-28749
  • CVE-2022-22788
  • CVE-2022-22787
  • CVE-2022-22786
  • CVE-2022-22785
  • CVE-2022-22784
  • CVE-2022-22783
  • CVE-2022-22782
  • CVE-2022-22781
  • CVE-2022-22780
  • CVE-2022-22779
  • CVE-2021-34417
  • CVE-2021-34416
  • CVE-2021-34415
  • CVE-2021-34414
  • CVE-2021-34412
  • CVE-2021-34411
  • CVE-2021-34408
  • CVE-2021-33907
  • CVE-2021-30480
  • CVE-2021-28133
  • CVE-2020-11443
  • CVE-2019-13567
  • CVE-2019-13450
  • CVE-2019-13449
Search

Säkerhetsbulletiner

Zoom ger inte vägledning om sårbarhetspåverkan för enskilda kunder på grund av en Zoom-säkerhetsbulletin, och tillhandahåller inte ytterligare information om en sårbarhet. Vi rekommenderar användare att uppdatera till den senaste versionen av Zoom-programvaran för att få de senaste korrigeringarna och säkerhetsförbättringarna.

ZSB Date Title Severity CVE (if applicable)
ZSB-24008 02/13/2024 Zoom-skrivbordsklient för Windows, Zoom VDI-klient för Windows och Zoom Meeting SDK för Windows – felaktig datainmatningsvalidering Critical CVE-2024-24691

Severity: Critical

CVSS Score: 9.6

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Description: Felaktig datainmatningsvalidering i Zoom-skrivbordsklient för Windows, Zoom VDI-klient för Windows och Zoom Meeting SDK för Windows kan tillåta en icke-autentiserad användare att aktivera en eskalering av befogenheter via nätverksåtkomst.

Användare kan se till att fortsätta vara skyddade genom att ladda ner den senaste uppdateringarna tillgängliga på https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.16.5
  • Zoom VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12)
  • Zoom Rooms Client for Windows before version 5.17.0
  • Zoom Meeting SDK for Windows before version 5.16.5

Source: Rapporterat av Zooms offensiva säkerhet.

ZSB-24007 02/13/2024 Zoom-klienter – Felaktig datainmatningsvalidering Medium CVE-2024-24690

Severity: Medium

CVSS Score: 5.4

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Description: Felaktig datainmatningsvalidering i vissa Zoom-klienter kan tillåta en autentiserad användare att genomföra en Denial of Service-attack genom nätverksåtkomst.

Användare kan se till att fortsätta vara skyddade genom att ladda ner den senaste uppdateringarna tillgängliga på https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.16.5
  • Zoom Video SDK for Windows before version 5.16.5
  • Zoom Desktop Client for macOS before version 5.16.5
  • Zoom Desktop Client for Linux before version 5.16.5
  • Zoom VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12)
  • Zoom Mobile App for Android before version 5.16.5
  • Zoom Mobile App for iOS before version 5.16.5
  • Zoom Rooms Clients before version 5.17.0
  • Zoom Meeting SDKs before version 5.16.5

Source: Rapporterat av Zooms offensiva säkerhet.

ZSB-24006 02/13/2024 Zoom-klienter – Logikfel i Business Medium CVE-2024-24699

Severity: Medium

CVSS Score: 6.5

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description: Logikfel i Business med chatt under möte för vissa Zoom-klienter kan tillåta en autentiserad användare att offentliggöra information genom nätverksåtkomst.

Användare kan se till att fortsätta vara skyddade genom att ladda ner den senaste uppdateringarna tillgängliga på https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.16.5
  • Zoom Desktop Client for macOS before version 5.16.5
  • Zoom Desktop Client for Linux before version 5.16.5
  • Zoom VDI Client for Windows before version 5.17.5 (excluding 5.15.15 and 5.16.10)
  • Zoom Mobile App for Android before version 5.16.5
  • Zoom Mobile App for iOS before version 5.16.5
  • Zoom Rooms Clients before version 5.17.0
  • Zoom Meeting SDKs before version 5.16.5

Source: Rapporterat av Zooms offensiva säkerhet.

ZSB-24005 02/13/2024 Zoom-klienter – Felaktig autentisering Medium CVE-2024-24698

Severity: Medium

CVSS Score: 4.9

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Description: Felaktig autentisering i vissa Zoom-klienter kan tillåta en användare med befogenhet att offentliggöra information genom lokal åtkomst.

Användare kan se till att fortsätta vara skyddade genom att ladda ner den senaste uppdateringarna tillgängliga på https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.17.0
  • Zoom Desktop Client for macOS before version 5.17.0
  • Zoom Desktop Client for Linux before version 5.17.0
  • Zoom VDI Client for Windows before version 5.17.5 (excluding 5.15.15 and 5.16.12)
  • Zoom Mobile App for Android before version 5.17.0
  • Zoom Mobile App for iOS before version 5.17.0
  • Zoom Rooms Client for Windows before version 5.17.0
  • Zoom Meeting SDKs before version 5.17.0

Source: Rapporterat av Zooms offensiva säkerhet.

ZSB-24004 02/13/2024 Zoom-klienter – Opålitlig sökväg High CVE-2024-24697

Severity: High

CVSS Score: 7.2

CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Description: Opålitlig sökväg i vissa Zoom 32-bitars Windows-klienter kan tillåta en autentiserad användare att genomföra en eskalering av befogenheter via lokal åtkomst.

Användare kan se till att fortsätta vara skyddade genom att ladda ner den senaste uppdateringarna tillgängliga på https://zoom.us/download.

Affected Products:

  • Zoom-skrivbordsklient för Windows före version 5.17.0
  • Zoom VDI Client for Windows before version 5.17.5 (excluding 5.15.15 and 5.16.12)
  • Zoom Meeting SDK for Windows before version 5.17.0
  • Zoom Rooms Client for Windows before version 5.17.0

Source: Rapporterat av sim0nsecurity.

ZSB-24003 02/13/2024 Zoom-skrivbordsklient för Windows, Zoom VDI-klient för Windows och Zoom Meeting SDK för Windows – felaktig datainmatningsvalidering Medium CVE-2024-24696

Severity: Medium

CVSS Score: 6.8

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Description: Felaktig datainmatningsvalidering i chatt under möte för Zoom-skrivbordsklient för Windows, Zoom VDI-klient för Windows och Zoom Meeting SDK för Windows kan tillåta en autentiserad användare att potentiellt offentliggöra information via nätverksåtkomst.

Användare kan se till att fortsätta vara skyddade genom att ladda ner den senaste uppdateringarna tillgängliga på https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.17.0
  • Zoom VDI Client for Windows before version 5.17.5 (excluding 5.15.15 and 5.16.12)
  • Zoom Meeting SDK for Windows before version 5.17.0

Source: Rapporterat av shmoul.

ZSB-24002 02/13/2024 Zoom-skrivbordsklient för Windows, Zoom VDI-klient för Windows och Zoom Meeting SDK för Windows – felaktig datainmatningsvalidering Medium CVE-2024-24695

Severity: Medium

CVSS Score: 6.8

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Description: Felaktig datainmatningsvalidering i Zoom-skrivbordsklient för Windows, Zoom VDI-klient för Windows och Zoom Meeting SDK för Windows kan tillåta en autentiserad användare att potentiellt offentliggöra information via nätverksåtkomst.


Användare kan se till att fortsätta vara skyddade genom att ladda ner den senaste uppdateringarna tillgängliga på https://zoom.us/download.

Affected Products:

  • Zoom-skrivbordsklient för Windows före version 5.17.0
  • Zoom VDI Client for Windows before version 5.17.5 (excluding 5.15.15 and 5.16.12)
  • Zoom Meeting SDK for Windows before version 5.17.0

Source: Rapporterat av shmoul.

ZSB-24001 01/09/2024 Zoom-skrivbordsklient för Windows, Zoom VDI-klient för Windows och Zoom SDKs för Windows – Felaktig åtkomstkontroll Critical CVE-2023-49647

Severity: Critical

CVSS Score: 8.8

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description: Felaktig åtkomstkontroll i Zoom-skrivbordsklient för Windows, Zoom VDI-klient för Windows och Zoom SDKs för Windows före version 5.16.10 kan tillåta en autentiserad användare att genomföra en eskalering av befogenheter via lokal åtkomst.

Användare kan hjälpa till att hålla sig säkra genom att tillämpa aktuella uppdateringar eller ladda ner den senaste Zoom-programvaran med alla aktuella säkerhetsuppdateringar från https://zoom.us/download.

Affected Products:

  • Zoom-skrivbordsklient för Windows före version 5.16.10
  • VDI Client for Windows before version 5.16.10 (excluding 5.14.14 and 5.15.12)
  • Zoom Video SDK for Windows before version 5.16.10
  • Zoom Meeting SDK for Windows before version 5.16.10

Source: Rapporterat av sim0nsecurity.

ZSB-23062 12/12/2023 Zoom-klienter – Felaktig autentisering Medium CVE-2023-49646

Severity: Medium

CVSS Score: 5.4

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Description: Felaktig autentisering i vissa Zoom-klienter före version 5.16.5 kan tillåta en autentiserad användare att genomföra en Denial of Service-attack genom nätverksåtkomst.

Användare kan hjälpa till att hålla sig säkra genom att tillämpa aktuella uppdateringar eller ladda ner den senaste Zoom-programvaran med alla aktuella säkerhetsuppdateringar från https://zoom.us/download.

Affected Products:

  • Zoom-skrivbordsklient för Windows före version 5.16.5
  • Zoom Desktop Client for macOS before version 5.16.5
  • Zoom Mobile App for iOS before version 5.16.5
  • Zoom Mobile App for Android before version 5.16.5
  • Zoom Desktop Client for Linux before version 5.16.5
  • Zoom VDI Client before version 5.16.5 (excluding 5.14.14 and 5.15.12)
  • Zoom SDKs before version 5.16.5

Source: Rapporterat av Zooms offensiva säkerhetsteam.

ZSB-23059 12/12/2023 Zoom-skrivbordsklient för Windows, Zoom VDI-klient för Windows och Zoom SDKs för Windows – Osäker sökväg Critical CVE-2023-43586

Severity: Critical

CVSS Score: 7.3

CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

Description: Osäker sökväg i Zoom-skrivbordsklient för Windows, Zoom VDI-klient för Windows och Zoom SDKs för Windows kan tillåta en autentiserad användare att genomföra en eskalering av befogenheter via nätverksåtkomst.

Användare kan hjälpa till att hålla sig säkra genom att tillämpa aktuella uppdateringar eller ladda ner den senaste Zoom-programvaran med alla aktuella säkerhetsuppdateringar från https://zoom.us/download.

Affected Products:

  • Zoom-skrivbordsklient för Windows före version 5.16.5
  • Zoom VDI Client before version 5.16.0 (excluding 5.14.14 and 5.15.12)
  • Zoom Video SDK for Windows before version 5.16.5
  • Zoom Meeting SDK for Windows before version 5.16.5

Source: Rapporterat av shmoul.

ZSB-23058 12/12/2023 Zoom Mobile App for iOS and SDKs for iOS - Improper Access Control High CVE-2023-43585

Severity: High

CVSS Score: 7.1

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Description: Improper access control in Zoom Mobile App for iOS and Zoom SDKs for iOS before version 5.16.5 may allow an authenticated user to conduct a disclosure of information via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Mobile App for iOS before version 5.16.5
  • Zoom Video SDK for iOS before version 5.16.5
  • Zoom Meeting SDK for iOS before version 5.16.5
  • Zoom Meeting SDK for Android before version 5.16.0

Source: Reported by Zoom Offensive Security Team.

ZSB-23056 12/12/2023 Zoom Mobile App for Android, Zoom Mobile App for iOS and Zoom SDKs - Cryptographic Issues Medium CVE-2023-43583

Severity: Medium

CVSS Score: 4.9

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Description: Cryptographic issues Zoom Mobile App for Android, Zoom Mobile App for iOS, and Zoom SDKs for Android and iOS before version 5.16.0 may allow a privileged user to conduct a disclosure of information via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Mobile App for Android before version 5.16.0
  • Zoom Mobile App for iOS before version 5.16.0
  • Zoom Video SDK for Android before version 5.16.0
  • Zoom Video SDK for iOS before version 5.16.0
  • Zoom Meeting SDK for Android before version 5.16.0
  • Zoom Meeting SDK for iOS before version 5.16.0

Source: Reported by Zoom Offensive Security Team.

ZSB-23055 11/14/2023 Zoom Clients - Improper Authorization Medium CVE-2023-43582

Severity: Medium

CVSS Score: 5.5

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Description: Improper authorization in some Zoom clients may allow an authorized user to conduct an escalation of privilege via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.16.0
  • Zoom Desktop Client for macOS before version 5.16.0
  • Zoom Mobile App for iOS before version 5.16.0
  • Zoom Mobile App for Android before version 5.16.0
  • Zoom Desktop Client for Linux before version 5.16.0
  • Zoom Rooms Client for Windows before version 5.16.0
  • Zoom Rooms Client for macOS before version 5.16.0
  • Zoom Rooms Client for Android before version 5.16.0
  • Zoom Rooms Client for iPad before version 5.16.0
  • Zoom VDI Client before version 5.16.0 (excluding 5.14.13 and 5.15.11)
  • Zoom Meeting SDK for Windows before version 5.16.0
  • Zoom Meeting SDK for iOS before version 5.16.0
  • Zoom Meeting SDK for Android before version 5.16.0
  • Zoom Meeting SDK for macOS before version 5.16.0
  • Zoom Meeting SDK for Linux before version 5.16.0

Source: Reported by Zoom Offensive Security Team.

ZSB-23054 11/14/2023 Zoom Rooms for macOS - Improper Privilege Management High CVE-2023-43591

Severity: High

CVSS Score: 7.8

CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Description: Improper privilege management in Zoom Rooms for macOS before version 5.16.0 may allow an authenticated user to conduct an escalation of privilege via local access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Rooms for macOS before version 5.16.0

Source: Reported by Eugene Lim (spaceraccoon).

ZSB-23053 11/14/2023 Zoom Rooms for macOS - Link Following High CVE-2023-43590

Severity: High

CVSS Score: 7.8

CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Description: Link following in Zoom Rooms for macOS before version 5.16.0 may allow an authenticated user to conduct an escalation of privilege via local access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Rooms for macOS before version 5.16.0

Source: Reported by Eugene Lim (spaceraccoon).

ZSB-23052 11/14/2023 Zoom Clients - Insufficient Control Flow Management Low CVE-2023-43588

Severity: Low

CVSS Score: 3.5

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Description: Insufficient control flow management in some Zoom clients may allow an authenticated user to conduct an information disclosure via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.16.0
  • Zoom Desktop Client for macOS before version 5.16.0
  • Zoom Desktop Client for Linux before version 5.16.0
  • Zoom VDI Client before version 5.16.0 (excluding 5.14.13 and 5.15.11)
  • Zoom Meeting SDK for Windows before version 5.16.0
  • Zoom Meeting SDK for iOS before version 5.16.0
  • Zoom Meeting SDK for Linux before version 5.16.0

Source: Reported by Zoom Offensive Security Team.

ZSB-23051 11/14/2023 ZoomClients - Cryptographic Issues Medium CVE-2023-39199

Severity: Medium

CVSS Score: 4.9

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Description: Cryptographic issues with In-Meeting Chat for some Zoom clients may allow a privileged user to conduct an information disclosure via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.16.0
  • Zoom Desktop Client for macOS before version 5.16.0
  • Zoom Mobile App for iOS before version 5.16.0
  • Zoom Mobile App for Android before version 5.16.0
  • Zoom Desktop Client for Linux before version 5.16.0
  • Zoom Rooms Client for Windows before version 5.16.0
  • Zoom Rooms Client for macOS before version 5.16.0
  • Zoom Rooms Client for Android before version 5.16.0
  • Zoom Rooms Client for iPad before version 5.16.0
  • Zoom VDI Client before version 5.16.0 (excluding 5.14.13 and 5.15.11)
  • Zoom Meeting SDK for Windows before version 5.16.0
  • Zoom Meeting SDK for iOS before version 5.16.0
  • Zoom Meeting SDK for Android before version 5.16.0
  • Zoom Meeting SDK for macOS before version 5.16.0
  • Zoom Meeting SDK for Linux before version 5.16.0

Source: Reported by Zoom Offensive Security Team.

ZSB-23050 11/14/2023 Zoom Clients - Buffer Overflow Low CVE-2023-39206

Severity: Low

CVSS Score: 3.7

CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Description: Buffer overflow in some Zoom clients may allow an unauthenticated user to conduct a denial of service via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.16.0
  • Zoom Desktop Client for macOS before version 5.16.0
  • Zoom Mobile App for iOS before version 5.16.0
  • Zoom Mobile App for Android before version 5.16.0
  • Zoom Desktop Client for Linux before version 5.16.0
  • Zoom Rooms Client for Windows before version 5.16.0
  • Zoom Rooms Client for macOS before version 5.16.0
  • Zoom Rooms Client for Android before version 5.16.0
  • Zoom Rooms Client for iPad before version 5.16.0
  • Zoom VDI Client before version 5.16.0 (excluding 5.14.13 and 5.15.11)
  • Zoom Video SDK for Windows before version 1.9.0
  • Zoom Video SDK for macOS before version 1.9.0
  • Zoom Video SDK for Android before version 1.9.0
  • Zoom Video SDK for iOS before version 1.9.0
  • Zoom Video SDK for Linux before version 1.9.0
  • Zoom Meeting SDK for Windows before version 5.16.0
  • Zoom Meeting SDK for iOS before version 5.16.0
  • Zoom Meeting SDK for Android before version 5.16.0
  • Zoom Meeting SDK for macOS before version 5.16.0
  • Zoom Meeting SDK for Linux before version 5.16.0

Source: Reported by Zoom Offensive Security Team.

ZSB-23049 11/14/2023 Zoom Clients - Improper Conditions Check Medium CVE-2023-39205

Severity: Medium

CVSS Score: 4.3

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description: Improper conditions check in Zoom Team Chat for Zoom clients may allow an authenticated user to conduct a denial of service via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.16.0
  • Zoom Desktop Client for macOS before version 5.16.0
  • Zoom Mobile App for iOS before version 5.16.0
  • Zoom Mobile App for Android before version 5.16.0
  • Zoom Desktop Client for Linux before version 5.16.0
  • Zoom VDI Client before version 5.16.0 (excluding 5.14.13 and 5.15.11)
  • Zoom Video SDK for Windows before version 1.9.0
  • Zoom Video SDK for macOS before version 1.9.0
  • Zoom Video SDK for Android before version 1.9.0
  • Zoom Video SDK for iOS before version 1.9.0
  • Zoom Video SDK for Linux before version 1.9.0
  • Zoom Meeting SDK for Windows before version 5.16.0
  • Zoom Meeting SDK for iOS before version 5.16.0
  • Zoom Meeting SDK for Android before version 5.16.0

Source: Reported by Zoom Offensive Security Team.

ZSB-23048 11/14/2023 Zoom Clients - Buffer Overflow Medium CVE-2023-39204

Severity: Medium

CVSS Score: 4.3

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Description: Buffer overflow in some Zoom clients may allow an unauthenticated user to conduct a denial of service via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.15.10
  • Zoom Desktop Client for macOS before version 5.15.10
  • Zoom Mobile App for iOS before version 5.15.10
  • Zoom Mobile App for Android before version 5.15.10
  • Zoom Desktop Client for Linux before version 5.15.10
  • Zoom Rooms Client for Windows before version 5.15.10
  • Zoom Rooms Client for macOS before version 5.15.10
  • Zoom Rooms Client for Android before version 5.15.10

Source: Reported by Zoom Offensive Security Team.

ZSB-23047 11/14/2023 Zoom Desktop Client for Windows and Zoom VDI Client - Uncontrolled Resource Consumption Medium CVE-2023-39203

Severity: Medium

CVSS Score: 4.3

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Description: Uncontrolled resource consumption in Zoom Team Chat for Zoom Desktop Client for Windows and Zoom VDI Client may allow an unauthenticated user to conduct a disclosure of information via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.16.0

Source: Reported by shmoul.

ZSB-23046 11/14/2023 Zoom Rooms Client for Windows and Zoom VDI Client - Untrusted Search Path Low CVE-2023-39202

Severity: Low

CVSS Score: 3.1

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:L

Description: Untrusted search path in Zoom Rooms Client for Windows and Zoom VDI Client may allow a privileged user to conduct a denial of service via local access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Rooms Client for Windows before version 5.16.0
  • Zoom VDI Client before version 5.16.0 (excluding 5.14.13 and 5.15.11)

Source: Reported by sim0nsecurity.

ZSB-23045 09/12/2023 CleanZoom - Untrusted Search Path High CVE-2023-39201

Severity: High

CVSS Score: 7.2

CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H

Description: Untrusted search path in CleanZoom before file date 07/24/2023 may allow a privileged user to conduct an escalation of privilege via local access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • CleanZoom before version file date 07/24/2023

Source: Reported by sim0nsecurity.

ZSB-23043 09/12/2023 Zoom Desktop Client for Linux - Improper Input Validation Medium CVE-2023-39208

Severity: Medium

CVSS Score: 6.5

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Description: Improper input validation in Zoom Desktop Client for Linux before version 5.15.10 may allow an unauthenticated user to conduct a denial of service via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Linux before version 5.15.10

Source: Reported by Antoine Roly (aroly).

ZSB-23040 09/12/2023 Zoom Clients - Improper Authentication High CVE-2023-39215

Severity: High

CVSS Score: 7.1

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Description: Improper authentication in Zoom clients may allow an authenticated user to conduct a denial of service via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.15.5
  • Zoom Desktop Client for macOS before version 5.15.5

Source: Reported by Zoom Offensive Security Team.

ZSB-23041 08/08/2023 Zoom Desktop Client for Windows - Improper Input Validation Medium CVE-2023-39209

Severity: Medium

CVSS Score: 5.9

CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L

Description: Improper input validation in Zoom Desktop Client for Windows before version 5.15.5 may allow an authenticated user to enable an information disclosure via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.15.5

Source: Reported by Zoom Offensive Security Team.

ZSB-23039 08/08/2023 Zoom Client’s - Exposure of Sensitive Information High CVE-2023-39214

Severity: High

CVSS Score: 7.6

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:H

Description: Exposure of sensitive information in Zoom Client's before version 5.15.5 may allow an authenticated user to enable a denial of service via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.15.5
  • Zoom Desktop Client for macOS before version 5.15.5
  • Zoom Desktop Client for Linux before version 5.15.5
  • Zoom Mobile App for Android before version 5.15.5
  • Zoom Mobile App for iOS before version 5.15.5
  • Zoom Rooms for iPad before version 5.15.5
  • Zoom Rooms for Android before version 5.15.5
  • Zoom Rooms for Windows before version 5.15.5
  • Zoom Rooms for macOS before version 5.15.5

Source: Reported by Zoom Offensive Security Team.

ZSB-23038 08/08/2023 Zoom Desktop Client for Windows and Zoom VDI Client - Improper Neutralization of Special Elements Critical CVE-2023-39213

Severity: Critical

CVSS Score: 9.6

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Description: Improper neutralization of special elements in Zoom Desktop Client for Windows and Zoom VDI Client may allow an unauthenticated user to enable an escalation of privilege via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.15.2
  • Zoom VDI Client before version 5.15.2
  • Zoom VDI Client before version 5.14.13

Source: Reported by Zoom Offensive Security Team.

ZSB-23037 08/08/2023 Zoom Rooms for Windows - Untrusted Search Path High CVE-2023-39212

Severity: High

CVSS Score: 7.9

CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H

Description: Untrusted search path in Zoom Rooms for Windows before 5.15.5 may allow an authenticated user to enable a denial of service via local access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Rooms for Windows before version 5.15.5

Source: Reported by sim0nsecurity.

ZSB-23036 08/08/2023 Zoom Desktop Client for Windows and Zoom Rooms for Windows - Improper Privilege Management High CVE-2023-39211

Severity: High

CVSS Score: 8.8

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description: Improper privilege management in Zoom Desktop Client for Windows and Zoom Rooms for Windows before version 5.15.5 may allow an authenticated user to enable an information disclosure via local access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop for Windows before version 5.15.5
  • Zoom Rooms for Windows before version 5.15.5

Source: Reported by sim0nsecurity.

ZSB-23035 08/08/2023 Zoom Client SDK for Windows - Clear text Storage of Sensitive Information Medium CVE-2023-39210

Severity: Medium

CVSS Score: 5.5

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description: Clear text storage of sensitive information in Zoom Client SDK for Windows before version 5.15.0 may allow an authenticated user to enable an information disclosure via local access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Client SDK for Windows before version 5.15.0

Source: Reported by sim0nsecurity.

ZSB-23034 08/08/2023 Zoom Clients - Client-Side Enforcement of Server-Side Security Medium CVE-2023-39218

Severity: Medium

CVSS Score: 6.5

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Description: Client-side enforcement of server-side security in Zoom clients before version 5.14.10 may allow a privileged user to enable information disclosure via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.14.10
  • Zoom Desktop Client for macOS before version 5.14.10
  • Zoom Desktop Client for Linux before version 5.14.10
  • Zoom VDI Host and Plugin before version 5.14.10
  • Zoom Mobile App for Android before version 5.14.10

Source: Reported by Zoom Offensive Security Team.

ZSB-23033 08/08/2023 Zoom Client’s - Improper Input Validation Medium CVE-2023-39217

Severity: Medium

CVSS Score: 5.3

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description: Improper input validation in Zoom Client’s before version 5.14.10 may allow an unauthenticated user to enable a denial of service via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.14.10
  • Zoom Desktop Client for macOS before version 5.14.10
  • Zoom Desktop Client for Linux before version 5.14.10
  • Zoom VDI Client before version 5.14.10
  • Zoom Mobile App for Android before version 5.14.10
  • Zoom Mobile App for iOS before version 5.14.10
  • Zoom Rooms for iPad before version 5.14.10
  • Zoom Rooms for Android before version 5.14.10
  • Zoom Rooms for Windows before version 5.14.10
  • Zoom Rooms for macOS before version 5.14.10

Source: Reported by Zoom Offensive Security Team.

ZSB-23032 08/08/2023 Zoom Desktop Client for Windows - Improper Input Validation Critical CVE-2023-39216

Severity: Critical

CVSS Score: 9.6

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Description: Improper input validation in Zoom Desktop Client for Windows before version 5.14.7 may allow an unauthenticated user to enable an escalation of privilege via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.14.7

Source: Reported by Zoom Offensive Security Team.

ZSB-23031 08/08/2023 Zoom Clients - Client-Side Enforcement of Server-Side Security High CVE-2023-36535

Severity: High

CVSS Score: 7.1

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Description: Client-side enforcement of server-side security in Zoom clients before version 5.14.10 may allow an authenticated user to enable information disclosure via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Clients for Windows before version 5.14.10

Source: Reported by Zoom Offensive Security Team.

ZSB-23030 08/08/2023 Zoom Desktop Client for Windows - Path Traversal Critical CVE-2023-36534

Severity: Critical

CVSS Score: 9.3

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H

Description: Path traversal in Zoom Desktop Client for Windows before version 5.14.7 may allow an unauthenticated user to enable an escalation of privilege via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client Windows before version 5.14.7

Source: Reported by Zoom Offensive Security Team.

ZSB-23029 08/08/2023 Zoom SDK’s - Uncontrolled Resource Consumption High CVE-2023-36533

Severity: High

CVSS Score: 7.1

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H

Description: Uncontrolled resource consumption in Zoom SDK’s before version 5.14.7 may allow an unauthenticated user to enable a denial of service via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Client SDK for Windows before version 5.14.7

Source: Reported by Zoom Offensive Security Team.

ZSB-23028 08/08/2023 Zoom Clients - Buffer Overflow Medium CVE-2023-36532

Severity: Medium

CVSS Score: 5.9

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Description: Buffer overflow in Zoom clients before version 5.14.5 may allow an unauthenticated user to enable a denial of service via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.14.5

Source: Reported by Zoom Offensive Security Team.

ZSB-23027 08/08/2023 Zoom Desktop Client for Windows - Insufficient Verification of Data Authenticity High CVE-2023-36541

Severity: High

CVSS Score: 8

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Description: Insufficient verification of data authenticity in Zoom Desktop Client for Windows before version 5.14.5 may allow an authenticated user to enable an escalation of privilege via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.14.5

Source: Reported by sim0nsecurity.

ZSB-23026 08/08/2023 Zoom Desktop Client for Windows - Untrusted Search Path High CVE-2023-36540

Severity: High

CVSS Score: 7.3

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

Description: Untrusted search path in the installer for Zoom Desktop Client for Windows before version 5.14.5 may allow an authenticated user to enable an escalation of privilege via local access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before version 5.14.5

Source: Reported by sim0nsecurity.

ZSB-23024 07/11/2023 Improper Access Control High CVE-2023-36538

Severity: High

CVSS Score: 8.4

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Description: Improper access control in Zoom Rooms for Windows before version 5.15.0 may allow an authenticated user to enable an escalation of privilege via local access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Rooms for Windows before version 5.15.0

Source: Reported by sim0nsecurity.

ZSB-23023 07/11/2023 Improper Privilege Management High CVE-2023-36537

Severity: High

CVSS Score: 7.3

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

Description: Improper privilege management in Zoom Rooms for Windows before version 5.14.5 may allow an authenticated user to enable an escalation of privilege via local access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Rooms for Windows before version 5.14.5

Source: Reported by sim0nsecurity.

ZSB-23022 07/11/2023 Untrusted Search Path High CVE-2023-36536

Severity: High

CVSS Score: 8.2

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Description: Untrusted search path in the installer for Zoom Rooms for Windows before version 5.15.0 may allow an authenticated user to enable an escalation of privilege via local access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Rooms for Windows before version 5.15.0

Source: Reported by sim0nsecurity.

ZSB-23021 07/11/2023 Insecure Temporary File High CVE-2023-34119

Severity: High

CVSS Score: 8.2

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Description: Insecure temporary file in the installer for Zoom Rooms for Windows before version 5.15.0 may allow an authenticated user to enable an escalation of privilege via local access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Rooms for Windows before version 5.15.0

Source: Reported by sim0nsecurity.

ZSB-23020 07/11/2023 Improper Privilege Management High CVE-2023-34118

Severity: High

CVSS Score: 7.3

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

Description: Improper privilege management in Zoom Rooms for Windows before version 5.14.5 may allow an authenticated user to enable an escalation of privilege via local access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Rooms for Windows before version 5.14.5

Source: Reported by sim0nsecurity.

ZSB-23019 07/11/2023 Relative Path Traversal Low CVE-2023-34117

Severity: Low

CVSS Score: 3.3

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Description: Relative path traversal in the Zoom Client SDK before version 5.15.0 may allow an unauthorized user to enable information disclosure via local access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Client SDK before version 5.15.0

Source: Reported by Dimitrios Valsamaras of Microsoft.

ZSB-23018 07/11/2023 Improper Input Validation High CVE-2023-34116

Severity: High

CVSS Score: 8.2

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:H

Description: Improper input validation in the Zoom Desktop Client for Windows before version 5.15.0 may allow an unauthorized user to enable an escalation of privilege via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Desktop Client for Windows before 5.15.0.

Source: Reported by sim0nsecurity.

ZSB-23025 06/29/2023 Exposure of Sensitive Information Medium CVE-2023-36539

Severity: Medium

CVSS Score: 5.3

CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Description: Exposure of information intended to be encrypted by some Zoom clients may lead to disclosure of sensitive information.

Zoom encrypts in-meeting chat messages using a per-meeting key and then transmits these encrypted messages between user devices and Zoom using TLS encryption. In the affected products, a copy of each in-meeting chat message was also sent encrypted only using TLS and not with the per-meeting key, including messages sent during End-to-End Encrypted (E2EE) meetings.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download, and avoid using the in-meeting chat while on the affected versions.

Affected Products:

  • Zoom Desktop Client for Windows 5.15.0 and 5.15.1
  • Zoom Desktop Client for macOS version 5.15.0 only
  • Zoom Desktop Client for Linux version 5.15.0 only

Source: Reported by Zoom Offensive Security Team.

ZSB-23017 06/13/2023 Buffer Copy without Checking Size of Input Medium CVE-2023-34115

Severity: Medium

CVSS Score: 4.0

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Description: Buffer copy without checking size of input in Zoom Meeting SDK before 5.13.0 may allow an authenticated user to potentially enable a denial of service via local access. This issue may result in the Zoom Meeting SDK to crash and need to be restarted.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom for Windows before version 5.14.10

Source: Reported by Siddhi Katariya (chikorita)

ZSB-23015 06/13/2023 Insufficient Verification of Data Authenticity High CVE-2023-34113

Severity: High

CVSS Score: 8

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Description: Insufficient verification of data authenticity in Zoom for Windows clients before 5.14.0 may allow an authenticated user to potentially enable an escalation of privilege via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom for Windows clients before version 5.14.0

Source: Reported by sim0nsecurity

ZSB-23014 06/13/2023 Improper Input Validation High CVE-2023-34122

Severity: High

CVSS Score: 7.3

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

Description: Improper input validation in the installer for Zoom for Windows clients before 5.14.0 may allow an authenticated user to potentially enable an escalation of privilege via local access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom for Windows clients before version 5.14.0

Source: Reported by sim0nsecurity

ZSB-23013 06/13/2023 Improper Input Validation Medium CVE-2023-34121

Severity: Medium

CVSS Score: 4.9

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

Description: Improper input validation in the Zoom for Windows, Zoom Rooms, Zoom VDI Windows Meeting clients before 5.14.0 may allow an authenticated user to potentially enable an escalation of privilege via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom for Windows clients before version 5.14.0

Source: Reported by Mohit Rawat - ASPIA InfoTech

ZSB-23012 06/13/2023 Improper Privilege Management High CVE-2023-34120

Severity: High

CVSS Score: 8.7

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Description: Improper privilege management in Zoom for Windows, Zoom Rooms for Windows, and Zoom VDI for Windows clients before 5.14.0 may allow an authenticated user to potentially enable an escalation of privilege via local access. Users may potentially utilize higher level system privileges maintained by the Zoom client to spawn processes with escalated privileges.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom for Windows clients before version 5.14.0

Source: Reported by sim0nsecurity

ZSB-23011 06/13/2023 Improper Access Control in Zoom VDI Client Installer High CVE-2023-28603

Severity: High

CVSS Score: 7.7

CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L

Description: Zoom VDI client installer prior to 5.14.0 contains an improper access control vulnerability. A malicious user may potentially delete local files without proper permissions.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom VDI Windows Meeting installer before version 5.14.0

Source: Reported by sim0nsecurity

ZSB-23010 06/13/2023 Improper Verification of Cryptographic Signature in Zoom Clients Low CVE-2023-28602

Severity: Low

CVSS Score: 2.8

CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Description: Zoom for Windows clients prior to 5.13.5 contain an improper verification of cryptographic signature vulnerability. A malicious user may potentially downgrade Zoom Client components to previous versions.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom for Windows clients before version 5.13.5

Source: Reported by Kirin (Pwnrin)

ZSB-23009 06/13/2023 Improper Restriction of Operations within the Bounds of a Memory Buffer in Zoom Clients Low CVE-2023-28601

Severity: Low

CVSS Score: 2

CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Description: Zoom for Windows clients prior to 5.14.0 contain an improper restriction of operations within the bounds of a memory buffer vulnerability. A malicious user may alter protected Zoom Client memory buffer potentially causing integrity issues within the Zoom Client.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom for Windows clients before version 5.14.0

Source: Reported by sim0nsecurity

ZSB-23008 06/13/2023 Improper access control in Zoom Clients Medium CVE-2023-28600

Severity: Medium

CVSS Score: 6.6

CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

Description: Zoom for macOS clients prior to 5.14.0 contain an improper access control vulnerability. A malicious user may be able to delete/replace Zoom Client files potentially causing a loss of integrity and availability to the Zoom Client.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom for macOS clients before version 5.14.0

Source: Reported by Koh M. Nakagawa (@tsunek0h)

ZSB-23007 06/13/2023 HTML Injection vulnerability in Zoom Clients Medium CVE-2023-28599

Severity: Medium

CVSS Score: 4.2

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Description: Zoom clients prior to 5.13.10 contain an HTML injection vulnerability. A malicious user could inject HTML into their display name potentially leading a victim to a malicious website during meeting creation.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom for Android, iOS, Linux, macOS, and Windows clients before version 5.13.10

Source: Reported by Mohit Rawat - ASPIA InfoTech

ZSB-23006 06/13/2023 HTML injection in Zoom Linux Clients High CVE-2023-28598

Severity: High

CVSS Score: 7.5

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description: Zoom for Linux clients prior to 5.13.10 contain an HTML injection vulnerability. If a victim starts a chat with a malicious user it could result in a Zoom application crash.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom for Linux clients before version 5.13.10

Source: Reported by Antoine Roly (aroly)

ZSB-23005 03/14/2023 Improper trust boundary implementation for SMB in Zoom Clients [Updated 2023-04-07] High CVE-2023-28597

Severity: High

CVSS Score: 8.3

CVSS Vector String: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Description: Zoom clients prior to 5.13.5 contain an improper trust boundary implementation vulnerability. If a victim saves a local recording to an SMB location and later opens it using a link from Zoom’s web portal, an attacker positioned on an adjacent network to the victim client could set up a malicious SMB server to respond to client requests, causing the client to execute attacker controlled executables. This could result in an attacker gaining access to a user's device and data, and remote code execution.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

*Changes - 2023-04-07 - Removed Android and iOS from the “Affected Products” section

Affected Products:

  • Zoom (for Linux, macOS, and Windows) clients before version 5.13.5

Source: Reported by Zoom Offensive Security Team

ZSB-23004 03/14/2023 Local Privilege Escalation in Zoom for macOS Installers Medium CVE-2023-28596

Severity: Medium

CVSS Score: 5.2

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

Description: Zoom Client for IT Admin macOS installers before version 5.13.5 contain a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability in an attack chain during the installation process to escalate their privileges to privileges to root.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Client for Meetings for IT Admin macOS installers before version 5.13.5

Source: Reported by Koh M. Nakagawa (tsunekoh)

ZSB-23003 03/14/2023 Local Privilege Escalation in Zoom for Windows Installers High CVE-2023-22883

Severity: High

CVSS Score: 7.2

CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H

Description: Zoom Client for IT Admin Windows installers before version 5.13.5 contain a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability in an attack chain during the installation process to escalate their privileges to the SYSTEM user.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Client for Meetings for IT Admin Windows installers before version 5.13.5

Source: Reported by sim0nsecurity

ZSB-23002 03/14/2023 Denial of Service in Zoom Clients Medium CVE-2023-22881
CVE-2023-22882

Severity: Medium

CVSS Score: 6.5

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Description: Zoom clients before version 5.13.5 contain a STUN parsing vulnerability. A malicious actor could send specially crafted UDP traffic to a victim Zoom client to remotely cause the client to crash, causing a denial of service.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom (for Android, iOS, Linux, macOS, and Windows) clients before version 5.13.5

Source: Reported by Zoom Offensive Security Team

ZSB-23001 03/14/2023 Information Disclosure in Zoom for Windows Clients Medium CVE-2023-22880

Severity: Medium

CVSS Score: 6.8

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Description: Zoom for Windows clients before version 5.13.3, Zoom Rooms for Windows clients before version 5.13.5 and Zoom VDI for Windows clients before 5.13.1 contain an information disclosure vulnerability. A recent update to the Microsoft Edge WebView2 runtime used by the affected Zoom clients, transmitted text to Microsoft’s online Spellcheck service instead of the local Windows Spellcheck. Updating Zoom remediates this vulnerability by disabling the feature. Updating Microsoft Edge WebView2 Runtime to at least version 109.0.1481.0 and restarting Zoom remediates this vulnerability by updating Microsoft’s telemetry behavior.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom for Windows clients before version 5.13.3

Source: Reported by Zoom Security Team

ZSB-22035 01/06/2023 Local Privilege Escalation in Zoom Rooms for Windows Installers High CVE-2022-36930

Severity: High

CVSS Score: 8.2

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Description: Zoom Rooms for Windows installers before version 5.13.0 contain a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability in an attack chain to escalate their privileges to the SYSTEM user.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Rooms for Windows installers before version 5.13.0

Source: Reported by sim0nsecurity

ZSB-22034 01/06/2023 Local Privilege Escalation in Zoom Rooms for Windows Clients High CVE-2022-36929

Severity: High

CVSS Score: 7.8

CVSS Vector String: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Description: Zoom Rooms for Windows clients before version 5.12.7 contain a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability in an attack chain to escalate their privileges to the SYSTEM user.
Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download

Affected Products:

  • Zoom Rooms for Windows clients before version 5.12.7

Source: Reported by sim0nsecurity

ZSB-22033 01/06/2023 Path Traversal in Zoom for Android Clients Medium CVE-2022-36928

Severity: Medium

CVSS Score: 6.1

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Description: Zoom for Android clients before version 5.13.0 contain a path traversal vulnerability. A third party app could exploit this vulnerability to read and write to the Zoom application data directory.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom for Android clients before version 5.13.0

Source: Reported by Dimitrios Valsamaras of Microsoft

ZSB-22032 01/06/2023 Local Privilege Escalation in Zoom Rooms for macOS Clients High CVE-2022-36926
CVE-2022-36927

Severity: High

CVSS Score: 8.8

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description: Zoom Rooms for macOS clients before version 5.11.3 contain a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability to escalate their privileges to root.
Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Rooms for macOS clients before version 5.11.3

Source: Reported by Kirin (Pwnrin)

ZSB-22031 01/06/2023 Insecure key generation for Zoom Rooms for macOS Clients Medium CVE-2022-36925

Severity: Medium

CVSS Score: 4.4

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Description: Zoom Rooms for macOS clients before version 5.11.4 contain an insecure key generation mechanism. The encryption key used for IPC between the Zoom Rooms daemon service and the Zoom Rooms client was generated using parameters that could be obtained by a local low-privileged application. That key can then be used to interact with the daemon service to execute privileged functions and cause a local denial of service.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Rooms for macOS before version 5.11.4

Source: Reported by Kirin (Pwnrin)

ZSB-22030 11/15/2022 Local Privilege Escalation in Zoom Rooms Installer for Windows High CVE-2022-36924

Severity: High

CVSS Score: 8.8

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description: The Zoom Rooms Installer for Windows prior to 5.12.6 contains a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability during the install process to escalate their privileges to the SYSTEM user.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Rooms Installer for Windows before version 5.12.6

Source: Reported by sim0nsecurity

ZSB-22029 11/15/2022 Local Privilege Escalation in Zoom Client Installer for macOS High CVE-2022-28768

Severity: High

CVSS Score: 8.8

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description: The Zoom Client for Meetings Installer for macOS (Standard and for IT Admin) before version 5.12.6 contains a local privilege escalation vulnerability. A local low-privileged user could exploit this vulnerability during the install process to escalate their privileges to root.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Client for Meetings Installer for macOS (Standard and for IT Admin) before version 5.12.6

Source: Reported by Zoom Offensive Security Team

ZSB-22021 09/13/2022 Zoom On-Prem Deployments: Improper Access Control Medium CVE-2022-28760

Severity: Medium

CVSS Score: 6.5

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description: Zoom On-Premise Meeting Connector MMR before version 4.8.20220815.130 contains an improper access control vulnerability. As a result, a malicious actor can join a meeting which they are authorized to join without appearing to the other participants.

For Zoom On-Premise Deployments, IT administrators can help keep their Zoom software up-to-date by following this: https://support.zoom.us/hc/en-us/articles/360043960031

Affected Products:

  • Zoom On-Premise Meeting Connector MMR before version 4.8.20220815.130

Source: Reported by Zoom Offensive Security Team

ZSB-22020 09/13/2022 Zoom On-Prem Deployments: Improper Access Control High CVE-2022-28758
CVE-2022-28759

Severity: High

CVSS Score: 8.2

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Description: Zoom On-Premise Meeting Connector MMR before version 4.8.20220815.130 contains an improper access control vulnerability. As a result, a malicious actor could obtain the audio and video feed of a meeting they were not authorized to join and cause other meeting disruptions.

For Zoom On-Premise Deployments, IT administrators can help keep their Zoom software up-to-date by following this: https://support.zoom.us/hc/en-us/articles/360043960031

Affected Products:

  • Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.11.0

Source: Reported by Zoom Offensive Security Team

ZSB-22012 08/09/2022 Zoom On-Premise Deployments: Stack Buffer Overflow in Meeting Connector High CVE-2022-28750

Severity: High

CVSS Score: 7.5

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description: Zoom On-Premise Meeting Connector Zone Controller (ZC) before version 4.8.20220419.112 fails to properly parse STUN error codes, which can result in memory corruption and could allow a malicious actor to crash the application. In versions older than 4.8.12.20211115, this vulnerability could also be leveraged to execute arbitrary code.

For Zoom On-Premise Deployments, IT administrators can help keep their Zoom software up-to-date by following this guidance:
https://support.zoom.us/hc/en-us/articles/360043960031

Affected Products:

  • Zoom On-Premise Meeting Connector Zone Controller (ZC) before version 4.8.20220419.112

Source: Reported by Zoom Offensive Security Team

ZSB-22011 06/14/2022 Insufficient Authorization Check During Meeting Join Medium CVE-2022-28749

Severity: Medium

CVSS Score: 6.5

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description: Zoom’s On-Premise Meeting Connector MMR before version 4.8.113.20220526 fails to properly check the permissions of a Zoom meeting attendee. As a result, a threat actor in the Zoom’s waiting room can join the meeting without the consent of the host.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • On-Premise Meeting Connectors before version 4.8.113.20220526

Source: Reported by Zoom Offensive Security Team

ZSB- 22010 06/14/2022 DLL injection in Zoom Opener installer for Zoom and Zoom Rooms clients High CVE-2022-22788

Severity: High

CVSS Score: 7.1

CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Description: The Zoom Opener installer is downloaded by a user from the Launch meeting page, when attempting to join a meeting without having the Zoom Meeting Client installed. The Zoom Opener installer for Zoom Client for Meetings before version 5.10.3 and Zoom Rooms for Conference Room for Windows before version 5.10.3 are susceptible to a DLL injection attack. This vulnerability could be used to run arbitrary code on the victim’s host.

Users can help keep themselves secure by removing older versions of the Zoom Opener installer and running the latest version of the Zoom Opener installer from the “Download Now" button on the "Launch Meeting" page. User’s can also protect themselves by downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Client for Meetings for Windows before version 5.10.3
  • All Zoom Rooms for Conference Room for Windows before version 5.10.3

Source: Reported by James Tsz Ko Yeung

ZSB-22009 05/17/2022 Insufficient hostname validation during server switch in Zoom Client for Meetings Medium CVE-2022-22787

Severity: Medium

CVSS Score: 5.9

CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L

Description: The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0 fails to properly validate the hostname during a server switch request. This issue could be used in a more sophisticated attack to trick an unsuspecting user’s client to connect to a malicious server when attempting to use Zoom services.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0

Source: Reported by Ivan Fratric of Google Project Zero

ZSB-22008 05/17/2022 Update package downgrade in Zoom Client for Meetings for Windows High CVE-2022-22786

Severity: High

CVSS Score: 7.5

CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Description: The Zoom Client for Meetings for Windows before version 5.10.0 and Zoom Rooms for Conference Room for Windows before version 5.10.0, fails to properly check the installation version during the update process. This issue could be used in a more sophisticated attack to trick a user into downgrading their Zoom client to a less secure version.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • All Zoom Client for Meetings for Windows before version 5.10.0
  • All Zoom Rooms for Conference Room for Windows before version 5.10.0

Source: Reported by Ivan Fratric of Google Project Zero

ZSB-22007 05/17/2022 Improperly constrained session cookies in Zoom Client for Meetings Medium CVE-2022-22785

Severity: Medium

CVSS Score: 5.9

CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L

Description: The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0 fails to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send a user’s Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0

Source: Reported by Ivan Fratric of Google Project Zero

ZSB- 22006 05/17/2022 Improper XML Parsing in Zoom Client for Meetings High CVE-2022-22784

Severity: High

CVSS Score: 8.1

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Description: The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0 fails to properly parse XML stanzas in XMPP messages. This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving user’s client perform a variety of actions. This issue could be used in a more sophisticated attack to forge XMPP messages from the server.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0

Source: Reported by Ivan Fratric of Google Project Zero

ZSB- 22005 04/27/2022 Process memory exposure in Zoom on-premise Meeting services High CVE-2022-22783

Severity: High

CVSS Score: 8.3

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/CR:H

Description: A vulnerability in Zoom On-Premise Meeting Connector Controller version 4.8.102.20220310 and On-Premise Meeting Connector MMR version 4.8.102.20220310 exposes process memory fragments to connected clients, which could be observed by a passive attacker.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates.

Affected Products:

  • Zoom On-Premise Meeting Connector Controller version 4.8.102.20220310
  • Zoom On-Premise Meeting Connector MMR version 4.8.102.20220310

Source: Zoom Offensive Security Team

ZSB-22004 04/27/2022 Local privilege escalation in Windows Zoom Clients High CVE-2022-22782

Severity: High

CVSS Score: 7.9

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H

Description: The Zoom Client for Meetings for Windows prior to version 5.9.7, Zoom Rooms for Conference Room for Windows prior to version 5.10.0, Zoom Plugins for Microsoft Outlook for Windows prior to version 5.10.3, and Zoom VDI Windows Meeting Clients prior to version 5.9.6; was susceptible to a local privilege escalation issue during the installer repair operation. A malicious actor could utilize this to potentially delete system level files or folders, causing integrity or availability issues on the user’s host machine.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • All Zoom Client for Meetings for Windows prior to version 5.9.7
  • All Zoom Rooms for Conference Room for Windows prior to version 5.10.0
  • All Zoom Plugins for Microsoft Outlook for Windows prior to version 5.10.3
  • All Zoom VDI Windows Meeting Clients prior to version 5.9.6

Source: Reported by the Zero Day Initiative

ZSB-22003 04/27/2022 Update package downgrade in Zoom Client for Meetings for macOS High CVE-2022-22781

Severity: High

CVSS Score: 7.5

CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Description: The Zoom Client for Meetings for macOS (Standard and for IT Admin) prior to version 5.9.6 failed to properly check the package version during the update process. This could lead to a malicious actor updating an unsuspecting user’s currently installed version to a less secure version.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • All Zoom Client for Meetings for macOS (Standard and for IT Admin) prior to version 5.9.6

Source: Reported by Patrick Wardle of Objective-See

ZSB-22002 02/08/2022 Zoom Team Chat Susceptible to Zip Bombing Medium CVE-2022-22780

Severity: Medium

CVSS Score: 4.7

CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:N/A:L

Description: The Zoom Client for Meetings chat functionality was susceptible to Zip bombing attacks in the following product versions: Android before version 5.8.6, iOS before version 5.9.0, Linux before version 5.8.6, macOS before version 5.7.3, and Windows before version 5.6.3. This could lead to availability issues on the client host by exhausting system resources.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • All Zoom Client for Meetings for Android before version 5.8.6
  • All Zoom Client for Meetings for iOS before version 5.9.0
  • All Zoom Client for Meetings for Linux before version 5.8.6
  • All Zoom Client for Meetings for macOS before version 5.7.3
  • All Zoom Client for Meetings for Windows before version 5.6.3

Source: Reported by Johnny Yu of Walmart Global Tech

ZSB-22001 02/08/2022 Retained exploded messages in Keybase clients for macOS and Windows Low CVE-2022-22779

Severity: Low

CVSS Score: 3.7

CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Description: The Keybase Clients for macOS and Windows before version 5.9.0 fails to properly remove exploded messages initiated by a user. This can occur if the receiving user switches to a non-chat feature and places the host in a sleep state before the sending user explodes the messages. This could lead to disclosure of sensitive information which was meant to be deleted from a user’s filesystem.

Users can help keep themselves secure by applying current updates or downloading the latest Keybase software with all current security updates from https://keybase.io/download.

Affected Products:

  • Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.8.4
  • Zoom Client for Meetings for Blackberry (for Android and iOS) before version 5.8.1
  • Zoom Client for Meetings for intune (for Android and iOS) before version 5.8.4
  • Zoom Client for Meetings for Chrome OS before version 5.0.1
  • Zoom Rooms for Conference Room (for Android, AndroidBali, macOS, and Windows) before version 5.8.3

Source: Reported by Jeremy Brown

ZSB-21013 11/09/2021 Authenticated remote command execution with root privileges via web console in MMR High CVE-2021-34417

Severity: High

CVSS Score: 7.9

CVSS Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

Description: The network proxy page on the web portal for the products listed in the “Affected Products” section of this bulletin, fails to validate input sent in requests to set the network proxy password. This could lead to remote command injection by a web portal administrator.

Affected Products:

  • Zoom On-Premise Meeting Connector Controller before version 4.6.365.20210703
  • Zoom On-Premise Meeting Connector MMR before version 4.6.365.20210703
  • Zoom On-Premise Recording Connector before version 3.8.45.20210703
  • Zoom On-Premise Virtual Room Connector before version 4.4.6868.20210703
  • Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5496.20210703

Source: Reported by Jeremy Brown

ZSB-21012 09/30/2021 Remote Code Execution against On-Prem Images via webportal Medium CVE-2021-34416

Severity: Medium

CVSS Score: 5.5

CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Description: The network address administrative settings web portal for the Zoom on-premise Meeting Connector before version 4.6.360.20210325, Zoom on-premise Meeting Connector MMR before version 4.6.360.20210325, Zoom on-premise Recording Connector before version 3.8.44.20210326, Zoom on-premise Virtual Room Connector before version 4.4.6752.20210326, and Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5495.20210326 fails to validate input sent in requests to update the network configuration, which could lead to remote command injection on the on-premise image by the web portal administrators.

Affected Products:

  • Zoom on-premise Meeting Connector before version 4.6.360.20210325
  • Zoom on-premise Meeting Connector MMR before version 4.6.360.20210325
  • Zoom on-premise Recording Connector before version 3.8.44.20210326
  • Zoom on-premise Virtual Room Connector before version 4.4.6752.20210326
  • Zoom on-premise Virtual Room Connector Load Balancer before version 2.5.5495.20210326

Source: Reported by Egor Dimitrenko of Positive Technologies

ZSB-21011 09/30/2021 ZC crash using a PDU which causes many allocations High CVE-2021-34415

Severity: High

CVSS Score: 7.5

CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description: The Zone Controller service in the Zoom On-Premise Meeting Connector Controller before version 4.6.358.20210205 does not verify the cnt field sent in incoming network packets, which leads to exhaustion of resources and system crash.

Affected Products:

  • Zoom On-Premise Meeting Connector Controller before version 4.6.358.20210205

Source: Reported by Nikita Abramov of Positive Technologies

ZSB-21010 09/30/2021 Remote Code Execution against Meeting Connector server via webportal network proxy configuration Medium CVE-2021-34414

Severity: Medium

CVSS Score: 2.8

CVSS Vector String: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Description: All versions of the Zoom Plugin for Microsoft Outlook for macOS before 5.3.52553.0918 contain a Time-of-check Time-of-use (TOC/TOU) vulnerability during the plugin installation process. This could allow a standard user to write their own malicious application to the plugin directory, allowing the malicious application to execute in a privileged context.

Affected Products:

  • All versions of the Zoom Plugin for Microsoft Outlook for macOS before 5.3.52553.0918

Source: Reported by the Lockheed Martin Red Team

ZSB-21008 09/30/2021 Zoom for Windows Installer Local Privilege Escalation Medium CVE-2021-34412

Severity: Medium

CVSS Score: 4.4

CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Description: During the installation process for all versions of the Zoom Client for Meetings for Windows before 5.4.0, it is possible to launch Internet Explorer. If the installer was launched with elevated privileges such as by SCCM this can result in a local privilege escalation.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Client for Meetings for Windows before version 5.4.0

Source: Reported by the Lockheed Martin Red Team

ZSB-21007 09/30/2021 Zoom Rooms Installer Local Privilege Escalation Medium CVE-2021-34411

Severity: Medium

CVSS Score: 4.4

CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Description: During the installation process forZoom Rooms for Conference Room for Windows before version 5.3.0 it is possible to launch Internet Explorer with elevated privileges. If the installer was launched with elevated privileges such as by SCCM this can result in a local privilege escalation.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Rooms for Conference Room for Windows before version 5.3.0
  • Zoom Rooms for Conference before version 5.1.0

Source: Reported by the Lockheed Martin Red Team

ZSB-21004 09/30/2021 Zoom MSI Installer Elevated Write Using A Junction High CVE-2021-34408

Severity: High

CVSS Score: 7.0

CVSS Vector String: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Description: A user-writable directory created during the installation of the Zoom Client for Meetings for Windows version prior to version 5.3.2 can be redirected to another location using a junction. This would allow an attacker to overwrite files that a limited user would otherwise be unable to modify.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Client for Meetings for Windows prior to version 5.3.2

Source: Reported by the Lockheed Martin Red Team

ZSB-21003 09/30/2021 Windows Zoom Installer Digital Signature Bypass High CVE-2021-33907

Severity: High

CVSS Score: 7.0

CVSS Vector String: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H/CR:H/IR:H/AR:H/MAV:L/MAC:H/MPR:N/MUI:R/MS:U/MC:H/MI:H/MA:H

Description: The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • All versions of the Zoom Client for Meetings for Windows before version 5.3.0

Source: Reported by the Lockheed Martin Red Team

ZSB-21002 08/13/2021 Heap overflow from static buffer unchecked write from XMPP message High CVE-2021-30480

Severity: High

CVSS Score: 8.1

CVSS Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/CR:H/IR:H/AR:H/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:H/MI:H/MA:H

Description: A heap based buffer overflow exists in all desktop versions of the Zoom Client for Meetings before version 5.6.3. This Finding was reported to Zoom as a part of 2021 Pwn20wn Vancouver. The attack chain demonstrated during Pwn20wn was mitigated in a server-side change in Zoom’s infrastructure on 2021-04-09.

When combined with two other issues reported during Pwn20wn - improper URL validation when sending an XMPP message to access a Zoom Marketplace app URL and incorrect URL validation when displaying a GIPHY image - a malicious user can achieve remote code execution on a target’s computer.
The target must have previously accepted a Connection Request from the malicious user or be in a multi-user chat with the malicious user for this attack to succeed. The attack chain demonstrated in Pwn20wn can be highly visible to targets, causing multiple client notifications to occur.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • All desktop versions of the Zoom Client for Meetings before 5.6.3

Source: Reported by Daan Keuper and Thijs Alkemade from Computest via the Zero Day Initiative

ZSB-21001 03/26/2021 Application Window Screen Sharing Functionality Medium CVE-2021-28133

Severity: Medium

CVSS Score: 5.7

CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Description: A vulnerability affected the Zoom Windows and Linux Clients’ share screen functionality when sharing individual application windows, in which screen contents of applications which are not explicitly shared by the screen-sharing users may be seen by other meeting participants for a brief moment if the “sharer” is minimizing, maximizing, or closing another window.

Zoom introduced several new security mitigations in Zoom Windows Client version 5.6 that reduce the possibility of this issue occurring for Windows users. We are continuing to work on additional measures to resolve this issue across all affected platforms.

Zoom also resolved the issue for Ubuntu users on March 1, 2021 in Zoom Linux Client version 5.5.4. Users can apply current updates or download the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Windows installer (ZoomInstallerFull.msi) versions prior to 5.0.4

Source: Connor Scott of Context Information Security

ZSB-20001 05/04/2020 Zoom IT Installer for Windows High CVE-2020-11443

Severity: High

CVSS Score: Base: 8.4

CVSS Vector String: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Description: A vulnerability in how the Zoom Windows installer handles junctions when deleting files could allow a local Windows user to delete files otherwise not deletable by the user.

The vulnerability is due to insufficient checking for junctions in the directory from which the installer deletes files, which is writable by standard users. A malicious local user could exploit this vulnerability by creating a junction in the affected directory that points to protected system files or other files to which the user does not have permissions. Upon running the Zoom Windows installer with elevated permissions, as is the case when it is run through managed deployment software, those files would get deleted from the system.

Zoom addressed this issue in the 4.6.10 client release. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom Windows installer (ZoomInstallerFull.msi) versions prior to 4.6.10

Source: Thanks to the Lockheed Martin Red Team.

ZSB-19003 07/12/2019 ZoomOpener daemon High CVE-2019-13567

Severity: High

CVSS Score: Base: 7.5

CVSS Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Description: A vulnerability in the Zoom macOS client could allow an attacker to download malicious software to a victim's device.

The vulnerability is due to improper input validation and validation of downloaded software in the ZoomOpener helper application. An attacker could exploit the vulnerability to prompt a victim's device to download files on the attacker's behalf. A successful exploit is only possible if the victim previously uninstalled the Zoom Client.

Zoom addressed this issue in the 4.4.52595.0425 client release. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom macOS client prior to version 4.4.52595.0425 and after version 4.1.27507.0627

Source: Unknown.

ZSB-19002 07/09/2019 Default Video Setting Low CVE-2019-13450

Severity: Low

CVSS Score: Base: 3.1

CVSS Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Description: A vulnerability in the macOS Zoom and RingCentral clients could allow a remote, unauthenticated attacker to force a user to join a video call with the video camera active.

The vulnerability is due to insufficient authorization controls to check which systems may communicate with the local Zoom Web server running on port 19421. An attacker could exploit this vulnerability by creating a malicious website that causes the Zoom client to automatically join a meeting set up by the attacker.

Zoom implemented a new Video Preview dialog that is presented to the user before joining a meeting in Client version 4.4.5 published July 14, 2019. This dialog enables the user to join the meeting with or without video enabled and requires the user to set their desired default behavior for video. Zoom urges customers to install the latest Zoom Client release available at https://zoom.us/download.

Affected Products:

  • Zoom macOS Client prior to version 4.4.5
  • RingCentral macOS client prior to version 4.4.5

Source: Discovered by Jonathan Leitschuh.

ZSB-19001 07/09/2019 Denial of service attack - macOS Low CVE-2019-13449

Severity: Low

CVSS Score: Base: 3.1

CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Description: A vulnerability in the macOS Zoom client could allow a remote, unauthenticated attacker to trigger a denial-of-service condition on a victim's system.

The vulnerability is due to insufficient authorization controls to check which systems may communicate with the local Zoom Web server running on port 19421. An attacker could exploit this vulnerability by creating a malicious website that causes the Zoom client to repeatedly try to join a meeting with an invalid meeting ID. The infinite loop causes the Zoom client to become inoperative and can impact performance of the system on which it runs.

Zoom released version 4.4.2-hotfix of the macOS client on April 28, 2019 to address the issue. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

  • Zoom macOS Client prior to version 4.4.5
  • RingCentral macOS client prior to version 4.4.5

Source: Discovered by Jonathan Leitschuh.

No results found

Please provide your individual email address to receive notification of future Zoom Security Bulletins. (Note: Email aliases will not receive these notifications.)