CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28601
https://notcve.org/view.php?id=CVE-2023-28601
Zoom for Windows clients prior to 5.14.0 contain an improper restriction of operations within the bounds of a memory buffer vulnerability. A malicious user may alter protected Zoom Client memory buffer potentially causing integrity issues within the Zoom Client. • https://explore.zoom.us/en/trust/security/security-bulletin • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-358: Improperly Implemented Security Check for Standard •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28600
https://notcve.org/view.php?id=CVE-2023-28600
Zoom for MacOSclients prior to 5.14.0 contain an improper access control vulnerability. A malicious user may be able to delete/replace Zoom Client files potentially causing a loss of integrity and availability to the Zoom Client. • https://explore.zoom.us/en/trust/security/security-bulletin • CWE-284: Improper Access Control CWE-378: Creation of Temporary File With Insecure Permissions •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2023-28599
https://notcve.org/view.php?id=CVE-2023-28599
Zoom clients prior to 5.13.10 contain an HTML injection vulnerability. A malicious user could inject HTML into their display name potentially leading a victim to a malicious website during meeting creation. • https://explore.zoom.us/en/trust/security/security-bulletin • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28598
https://notcve.org/view.php?id=CVE-2023-28598
Zoom for Linux clients prior to 5.13.10 contain an HTML injection vulnerability. If a victim starts a chat with a malicious user it could result in a Zoom application crash. • https://explore.zoom.us/en/trust/security/security-bulletin • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 12EXPL: 0CVE-2023-28597 – Improper trust boundary implementation for SMB in Zoom Clients
https://notcve.org/view.php?id=CVE-2023-28597
Zoom clients prior to 5.13.5 contain an improper trust boundary implementation vulnerability. If a victim saves a local recording to an SMB location and later opens it using a link from Zoom’s web portal, an attacker positioned on an adjacent network to the victim client could set up a malicious SMB server to respond to client requests, causing the client to execute attacker controlled executables. This could result in an attacker gaining access to a user's device and data, and remote code execution. • https://explore.zoom.us/en/trust/security/security-bulletin • CWE-501: Trust Boundary Violation •