#VU63587 XML injection in Zoom Video Communications, Inc. products - CVE-2022-22784
Published: May 24, 2022
Vulnerability identifier: #VU63587
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-22784
CWE-ID: CWE-91
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Zoom Workplace Desktop App for Windows
Zoom Workplace Desktop App for Linux
Zoom Workplace Desktop App for macOS
Zoom Workplace App for Android
Zoom Workplace App for iOS
Zoom Workplace Desktop App for Windows
Zoom Workplace Desktop App for Linux
Zoom Workplace Desktop App for macOS
Zoom Workplace App for Android
Zoom Workplace App for iOS
Software vendor:
Zoom Video Communications, Inc.
Zoom Video Communications, Inc.
Description
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to improper input validation when processing XML data inside XMPP messages. A remote attacker can send a specially crafted chat message to break out of the current XMPP message context and spoof messages from other application users or from server.
Remediation
Install updates from vendor's website.