Code Injection in Zoom Video Communications, Inc. products - CVE-2023-28599
Published: June 12, 2023
Vulnerability identifier: #VU77151
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-28599
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Zoom Video Communications, Inc.
Affected software:
Zoom Workplace Desktop App for Windows
Zoom Workplace Desktop App for macOS
Zoom Workplace Desktop App for Linux
Zoom Workplace App for Android
Zoom Workplace App for iOS
Zoom Workplace Desktop App for Windows
Zoom Workplace Desktop App for macOS
Zoom Workplace Desktop App for Linux
Zoom Workplace App for Android
Zoom Workplace App for iOS
Detailed vulnerability description
The vulnerability allows a remote user to perform spoofing attack.
The vulnerability exists due to improper input validation hen processing HTML code. A remote user can inject arbitrary HTML code into their display name and force the victim to visit a malicious website during the meeting creation.
How to mitigate CVE-2023-28599
Install updates from vendor's website.