Zoom Keybase Client for Windows could allow a remote attacker to traverse directories on the system, caused by improper validation of a file uploaded to a team folder. An attacker could use a specially-crafted file name containing “dot dot” sequences (/../) to execute arbitrary code on the system.
Zoom Keybase Client for iOS and Android could allow a remote attacker to obtain sensitive information, caused by not properly remove exploded messages initiated by a user. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
Zoom Client for Meetings for Windows could allow a remote attacker to bypass security restrictions, caused by improper validating the signature of files with .msi, .ps1, and .bat extensions. By persuading to open specially-crafted content, an attacker could exploit this vulnerability to install malicious software on a victim’s computer.
Zoom Client for Meetings for Ubuntu Linux is vulnerable to HTML injection. A remote attacker could inject malicious HTML code when sending a remote control request, which when viewed, would be executed in the victim’s Web browser within the security context of the hosting site.
Zoom On-Premise products are vulnerable to a denial of service, caused by improper validating a NULL byte during authentication in the login service of the web console. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the login service to crash.
Zoom On-Premise products could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by improper input validation by the network proxy password in the network proxy page on the web portal. By sending a specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary commands with rot privileges.
Refer to Zoom Security Advisory for patch, upgrade, or suggested workaround information.