Vulnerabilities > CVE-2021-30480 - Unspecified vulnerability in Zoom Chat 20210409

CVSS 9.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

low complexity

zoom

critical

NVD

Published: 2021-04-09

Updated: 2021-09-21

Summary

Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat software, which is different from the chat feature of the Zoom Meetings and Zoom Video Webinars software.

Vulnerable Configurations

Part	Description	Count
Application	Zoom Zoom Chat - Zoom Chat 2021-04-09	2
OS	Apple Apple Macos -	1
OS	Microsoft Microsoft Windows -	1

References

https://www.zdnet.com/article/critical-zoom-vulnerability-triggers-remote-code-execution-without-user-input/
https://twitter.com/thezdi/status/1379859851061395459
https://www.securityweek.com/200000-awarded-zero-click-zoom-exploit-pwn2own
https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/zoom-zero-day-discovery-makes-calls-safer-hackers-200000-richer/
https://zoom.us/feature/messaging
https://twitter.com/thezdi/status/1379855435730149378
https://www.zerodayinitiative.com/advisories/ZDI-21-971/
https://explore.zoom.us/en/trust/security/security-bulletin/
https://sector7.computest.nl/post/2021-08-zoom/