Security News > 2020 > June > Zoom Patches Two Serious Vulnerabilities Found by Cisco Researchers

Zoom Patches Two Serious Vulnerabilities Found by Cisco Researchers
2020-06-04 09:03

Members of Cisco's Talos threat intelligence and research group have identified two vulnerabilities in the Zoom client application that can allow a remote attacker to write files to the targeted user's system and possibly achieve arbitrary code execution.

CVE-2020-6109 is related to the way Zoom processes GIF image files.

According to Talos, the file would have a.gif extension but its content could be executable code or a script, which could aid the attacker in the exploitation of other vulnerabilities.

The attacker then sends the victim a code snippet via Zoom with the same file ID and the same details in the obj tag.

When Zoom sees that the file has already been downloaded, it will unzip the previously downloaded file to a location picked by the attacker - this can be nearly any folder.


News URL

http://feedproxy.google.com/~r/Securityweek/~3/_50J2gJXm5E/zoom-patches-two-serious-vulnerabilities-found-cisco-researchers

Related news

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-06-08 CVE-2020-6109 Path Traversal vulnerability in Zoom 4.6.10
An exploitable path traversal vulnerability exists in the Zoom client, version 4.6.10 processes messages including animated GIFs.
network
low complexity
zoom CWE-22
critical
 9.8
9.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Cisco 2046 21 1773 1669 288 3751
Zoom 54 4 51 80 12 147