XML injection in Zoom Video Communications, Inc. products - CVE-2022-22784

 

XML injection in Zoom Video Communications, Inc. products - CVE-2022-22784

Published: May 24, 2022


Vulnerability identifier: #VU63587
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-22784
CWE-ID: CWE-91
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Zoom Video Communications, Inc.
Affected software:
Zoom Workplace Desktop App for Windows
Zoom Workplace Desktop App for Linux
Zoom Workplace Desktop App for macOS
Zoom Workplace App for Android
Zoom Workplace App for iOS

Detailed vulnerability description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper input validation when processing XML data inside XMPP messages. A remote attacker can send a specially crafted chat message to break out of the current XMPP message context and spoof messages from other application users or from server.



How to mitigate CVE-2022-22784

Install updates from vendor's website.

Sources