CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2021-34417 – Authenticated remote command execution with root privileges via web console in MMR
https://notcve.org/view.php?id=CVE-2021-34417
11 Nov 2021 — The network proxy page on the web portal for the Zoom On-Premise Meeting Connector Controller before version 4.6.365.20210703, Zoom On-Premise Meeting Connector MMR before version 4.6.365.20210703, Zoom On-Premise Recording Connector before version 3.8.45.20210703, Zoom On-Premise Virtual Room Connector before version 4.4.6868.20210703, and Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5496.20210703 fails to validate input sent in requests to set the network proxy password. This co... • https://explore.zoom.us/en/trust/security/security-bulletin • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2021-34418 – Pre-auth Null pointer crash in on-premise web console
https://notcve.org/view.php?id=CVE-2021-34418
11 Nov 2021 — The login routine of the web console in the Zoom On-Premise Meeting Connector before version 4.6.239.20200613, Zoom On-Premise Meeting Connector MMR before version 4.6.239.20200613, Zoom On-Premise Recording Connector before version 3.8.42.20200905, Zoom On-Premise Virtual Room Connector before version 4.4.6344.20200612, and Zoom On-Premise Virtual Room Connector Load Balancer before version 2.5.5492.20200616 fails to validate that a NULL byte was sent while authenticating. This could lead to a crash of the... • https://explore.zoom.us/en/trust/security/security-bulletin • CWE-476: NULL Pointer Dereference •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-34419 – HTML injection in Zoom Linux client
https://notcve.org/view.php?id=CVE-2021-34419
11 Nov 2021 — In the Zoom Client for Meetings for Ubuntu Linux before version 5.1.0, there is an HTML injection flaw when sending a remote control request to a user in the process of in-meeting screen sharing. This could allow meeting participants to be targeted for social engineering attacks. En Zoom Client for Meetings para Ubuntu Linux versiones anteriores a 5.1.0, se presenta un fallo de inyección de HTML cuando es enviada una petición de control remoto a un usuario en el proceso de compartir la pantalla en una reuni... • https://explore.zoom.us/en/trust/security/security-bulletin • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2021-34420 – Zoom Windows installation executable signature bypass
https://notcve.org/view.php?id=CVE-2021-34420
11 Nov 2021 — The Zoom Client for Meetings for Windows installer before version 5.5.4 does not properly verify the signature of files with .msi, .ps1, and .bat extensions. This could lead to a malicious actor installing malicious software on a customer’s computer. El instalador de Zoom Client for Meetings para Windows anterior a la versión 5.5.4 no verifica correctamente la firma de los archivos con extensiones .msi, .ps1 y .bat. Esto podría dar lugar a que un actor malintencionado instalara software malicioso en el orde... • https://explore.zoom.us/en/trust/security/security-bulletin • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-34413
https://notcve.org/view.php?id=CVE-2021-34413
27 Sep 2021 — All versions of the Zoom Plugin for Microsoft Outlook for MacOS before 5.3.52553.0918 contain a Time-of-check Time-of-use (TOC/TOU) vulnerability during the plugin installation process. This could allow a standard user to write their own malicious application to the plugin directory, allowing the malicious application to execute in a privileged context. Todas las versiones de Zoom Plugin for Microsoft Outlook para MacOS anteriores a 5.3.52553.0918, contienen una vulnerabilidad de tipo Time-of-check Time-of-... • https://explore.zoom.us/en/trust/security/security-bulletin • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-34410
https://notcve.org/view.php?id=CVE-2021-34410
27 Sep 2021 — A user-writable application bundle unpacked during the install for all versions of the Zoom Plugin for Microsoft Outlook for Mac before 5.0.25611.0521 allows for privilege escalation to root. Un paquete de aplicaciones escribible por el usuario que se desempaqueta durante la instalación para todas las versiones de Zoom Plugin para Microsoft Outlook para Mac versiones anteriores a 5.0.25611.0521, permite una elevación de privilegios a root • https://explore.zoom.us/en/trust/security/security-bulletin • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 4.3EPSS: 1%CPEs: 1EXPL: 1CVE-2021-28133 – Zoom 5.4.3 (54779.1115) / 5.5.4 (13142.0301) Information Disclosure
https://notcve.org/view.php?id=CVE-2021-28133
18 Mar 2021 — Zoom through 5.5.4 sometimes allows attackers to read private information on a participant's screen, even though the participant never attempted to share the private part of their screen. When a user shares a specific application window via the Share Screen functionality, other meeting participants can briefly see contents of other application windows that were explicitly not shared. The contents of these other windows can (for instance) be seen for a short period of time when they overlay the shared window... • https://packetstorm.news/files/id/161897 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2020-6110
https://notcve.org/view.php?id=CVE-2020-6110
08 Jun 2020 — An exploitable partial path traversal vulnerability exists in the way Zoom Client version 4.6.10 processes messages including shared code snippets. A specially crafted chat message can cause an arbitrary binary planting which could be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to trigger this vulnerability. For the most severe effect, target user interaction is required. Se presenta una vulnerabilidad de salto de ruta parcial... • https://talosintelligence.com/vulnerability_reports/TALOS-2020-1056 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-6109
https://notcve.org/view.php?id=CVE-2020-6109
08 Jun 2020 — An exploitable path traversal vulnerability exists in the Zoom client, version 4.6.10 processes messages including animated GIFs. A specially crafted chat message can cause an arbitrary file write, which could potentially be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to exploit this vulnerability. Se presenta una vulnerabilidad de salto de ruta explotable en Zoom Client, la versión 4.6.10 procesa mensajes que incluyen GIF ani... • https://talosintelligence.com/vulnerability_reports/TALOS-2020-1055 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2019-13567
https://notcve.org/view.php?id=CVE-2019-13567
12 Jul 2019 — The Zoom Client before 4.4.53932.0709 on macOS allows remote code execution, a different vulnerability than CVE-2019-13450. If the ZoomOpener daemon (aka the hidden web server) is running, but the Zoom Client is not installed or can't be opened, an attacker can remotely execute code with a maliciously crafted launch URL. NOTE: ZoomOpener is removed by the Apple Malware Removal Tool (MRT) if this tool is enabled and has the 2019-07-10 MRTConfigData. El Cliente Zoom anterior a versión 4.4.2 en macOS, permite ... • https://gist.github.com/wbowling/13f9f90365c171806b9ffba2c841026b • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •