407/67 Friday, November 15, 2024
Zoom has patched six vulnerabilities in its video conferencing and communication platform, including two high-severity vulnerabilities that could be exploited by remote attackers to escalate privileges or leak sensitive information. These two vulnerabilities were discovered by the Zoom Offensive Security team, with details as follows:
- Vulnerability CVE-2024-45421 (CVSS score: 8.5) is a buffer overflow vulnerability that can be exploited by authenticated attackers.
- Vulnerability CVE-2024-45419 (CVSS score: 8.5) is an improper input validation vulnerability that can be exploited remotely without authentication.
Additionally, Zoom addressed four medium-severity vulnerabilities:
- Vulnerability CVE-2024-45422: An improper input validation issue that allows authenticated attackers to cause a denial of service (DoS) through network access.
- Vulnerability CVE-2024-45420: An uncontrolled resource consumption flaw that could be exploited by authenticated users to crash the system via network access.
- Vulnerability CVE-2024-45418: A symbolic link vulnerability in the Zoom app on macOS.
- Vulnerability CVE-2024-45417: An uncontrolled resource consumption vulnerability affecting Zoom Apps on macOS.
These vulnerabilities impact the Zoom Workplace App, Rooms Client, Rooms Controller, Video SDK, and Meeting SDK versions prior to 6.2.0, as well as the Workplace VDI Client for Windows versions prior to 6.1.12 (excluding version 6.0.14). Zoom strongly advises users to update their applications to the latest versions as soon as possible to prevent potential exploitation.
Source https://securityaffairs.com/170861/security/zoom-fixed-two-high-severity-flaws.html