CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-34408
https://notcve.org/view.php?id=CVE-2021-34408
27 Sep 2021 — The Zoom Client for Meetings for Windows in all versions before version 5.3.2 writes log files to a user writable directory as a privileged user during the installation or update of the client. This could allow for potential privilege escalation if a link was created between the user writable directory used and a non-user writable directory. Zoom Client for Meetings para Windows en todas las versiones anteriores a 5.3.2, escribe archivos de registro en un directorio en el que el usuario puede escribir como ... • https://explore.zoom.us/en/trust/security/security-bulletin • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 10.0EPSS: 4%CPEs: 1EXPL: 0CVE-2021-33907
https://notcve.org/view.php?id=CVE-2021-33907
27 Sep 2021 — The Zoom Client for Meetings for Windows in all versions before 5.3.0 fails to properly validate the certificate information used to sign .msi files when performing an update of the client. This could lead to remote code execution in an elevated privileged context. Zoom Client for Meetings para Windows en todas las versiones anteriores a 5.3.0, no comprueba correctamente la información del certificado usada para firmar los archivos .msi cuando se lleva a cabo una actualización del cliente. Esto podría conll... • https://explore.zoom.us/en/trust/security/security-bulletin • CWE-295: Improper Certificate Validation •
CVSS: 9.0EPSS: 13%CPEs: 3EXPL: 1CVE-2021-30480
https://notcve.org/view.php?id=CVE-2021-30480
09 Apr 2021 — Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat software, which is different from the chat feature of the Zoom Meetings and Zoom Video Webinars software. Zoom Chat versión hasta el 09-04-2021 en Windows y macOS, permite a determinados atacantes autenticados remotam... • https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/zoom-zero-day-discovery-makes-calls-safer-hackers-200000-richer •
CVSS: 4.3EPSS: 1%CPEs: 1EXPL: 1CVE-2021-28133 – Zoom 5.4.3 (54779.1115) / 5.5.4 (13142.0301) Information Disclosure
https://notcve.org/view.php?id=CVE-2021-28133
18 Mar 2021 — Zoom through 5.5.4 sometimes allows attackers to read private information on a participant's screen, even though the participant never attempted to share the private part of their screen. When a user shares a specific application window via the Share Screen functionality, other meeting participants can briefly see contents of other application windows that were explicitly not shared. The contents of these other windows can (for instance) be seen for a short period of time when they overlay the shared window... • https://packetstorm.news/files/id/161897 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-9767
https://notcve.org/view.php?id=CVE-2020-9767
14 Aug 2020 — A vulnerability related to Dynamic-link Library (“DLL”) loading in the Zoom Sharing Service would allow an attacker who had local access to a machine on which the service was running with elevated privileges to elevate their system privileges as well through use of a malicious DLL. Zoom addressed this issue, which only applies to Windows users, in the 5.0.4 client release. Una vulnerabilidad relacionada con la Carga de una Biblioteca de Enlace Dinámico ("DLL") en el servicio Zoom Sharing podría permitir a u... • https://github.com/shubham0d/Zoom-dll-hijacking • CWE-427: Uncontrolled Search Path Element •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2020-6110
https://notcve.org/view.php?id=CVE-2020-6110
08 Jun 2020 — An exploitable partial path traversal vulnerability exists in the way Zoom Client version 4.6.10 processes messages including shared code snippets. A specially crafted chat message can cause an arbitrary binary planting which could be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to trigger this vulnerability. For the most severe effect, target user interaction is required. Se presenta una vulnerabilidad de salto de ruta parcial... • https://talosintelligence.com/vulnerability_reports/TALOS-2020-1056 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-6109
https://notcve.org/view.php?id=CVE-2020-6109
08 Jun 2020 — An exploitable path traversal vulnerability exists in the Zoom client, version 4.6.10 processes messages including animated GIFs. A specially crafted chat message can cause an arbitrary file write, which could potentially be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to exploit this vulnerability. Se presenta una vulnerabilidad de salto de ruta explotable en Zoom Client, la versión 4.6.10 procesa mensajes que incluyen GIF ani... • https://talosintelligence.com/vulnerability_reports/TALOS-2020-1055 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-11443
https://notcve.org/view.php?id=CVE-2020-11443
04 May 2020 — The Zoom IT installer for Windows (ZoomInstallerFull.msi) prior to version 4.6.10 deletes files located in %APPDATA%\Zoom before installing an updated version of the client. Standard users are able to write to this directory, and can write links to other directories on the machine. As the installer runs with SYSTEM privileges and follows these links, a user can cause the installer to delete files that otherwise cannot be deleted by the user. El instalador it zoom para windows, (ZoomInstallerFull.msi) anteri... • https://support.zoom.us/hc/en-us/articles/201361953-New-Updates-for-Windows • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11876
https://notcve.org/view.php?id=CVE-2020-11876
17 Apr 2020 — airhost.exe in Zoom Client for Meetings 4.6.11 uses the SHA-256 hash of 0123425234234fsdfsdr3242 for initialization of an OpenSSL EVP AES-256 CBC context. NOTE: the vendor states that this initialization only occurs within unreachable code ** EN DISPUTA ** El archivo airhost.exe en Zoom Client for Meetings versión 4.6.11, usa el hash SHA-256 de 0123425234234fsdfsdr3242 para la inicialización de un contexto EVP AES-256 CBC de OpenSSL. NOTA: el vendedor afirma que esta inicialización sólo se produce dentro de... • https://dev.io/posts/zoomzoo • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11877
https://notcve.org/view.php?id=CVE-2020-11877
17 Apr 2020 — airhost.exe in Zoom Client for Meetings 4.6.11 uses 3423423432325249 as the Initialization Vector (IV) for AES-256 CBC encryption. NOTE: the vendor states that this IV is used only within unreachable code ** EN DISPUTA ** El archivo airhost.exe en Zoom Client for Meetings versión 4.6.11, usa 3423423432325249 como el Vector de Inicialización (IV) para el cifrado AES-256 CBC. NOTA: el proveedor declara que este IV se usa solo dentro de un código inalcanzable. • https://dev.io/posts/zoomzoo • CWE-330: Use of Insufficiently Random Values •