CVE-2019-13450
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.
En el Cliente Zoom hasta versión 4.4.4 y RingCentral versión 7.0.136380.0312 en macOS, los atacantes remotos pueden forzar a un usuario a unirse a una llamada de video con la cámara de video activa. Esto ocurre porque cualquier sitio web puede interactuar con el servidor web de Zoom en el puerto host local 19421 o 19424. NOTA: una máquina permanece vulnerable si el cliente Zoom fue instalado en el pasado y luego se desinstaló. El bloqueo de la operación requiere pasos adicionales, tales como la preferencia ZDisableVideo y/o la eliminación del servidor web, suprimiendo el directorio ~/.zoomus y creando un archivo plano ~/.zoomus.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-07-09 CVE Reserved
- 2019-07-09 CVE Published
- 2023-11-08 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-862: Missing Authorization
CAPEC
References (8)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/109082 | Third Party Advisory | |
https://medium.com/%40jonathan.leitschuh/zoom-zero-day-4-million-webcams-maybe-an-rce-just-get-them-to-visit-your-website-ac75c83f4ef5 | X_refsource_misc | |
https://news.ycombinator.com/item?id=20387298 | Issue Tracking | |
https://twitter.com/moreati/status/1148548799813640193 | Third Party Advisory | |
https://twitter.com/zoom_us/status/1148710712241295361 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://bugs.chromium.org/p/chromium/issues/detail?id=951540 | 2024-08-04 |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://assets.zoom.us/docs/pdf/Zoom+Response+Video-On+Vulnerability.pdf | 2023-11-07 | |
https://blog.zoom.us/wordpress/2019/07/08/response-to-video-on-concern | 2023-11-07 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Ringcentral Search vendor "Ringcentral" | Ringcentral Search vendor "Ringcentral" for product "Ringcentral" | 7.0.136380.0312 Search vendor "Ringcentral" for product "Ringcentral" and version "7.0.136380.0312" | mac_os_x |
Affected
| ||||||
Zoom Search vendor "Zoom" | Zoom Search vendor "Zoom" for product "Zoom" | <= 4.4.4 Search vendor "Zoom" for product "Zoom" and version " <= 4.4.4" | mac_os_x |
Affected
|