Stored XSS Vulnerabilities in ZOOM International Call Recording by ZOOM International
CVE-2019-18223

5.4MEDIUM

Key Information:

Vendor

Eleveo

Vendor
CVE Published:
27 April 2020

What is CVE-2019-18223?

The application ZOOM International Call Recording version 6.3.1 is susceptible to multiple authenticated stored Cross-Site Scripting (XSS) vulnerabilities. These vulnerabilities can be exploited through specific fields including phoneNumber in the User Edit and User Add forms, name in the Role Add form, name or number in the Edit Group form, and both tagKey and tagValue in the Recording Rules Configuration. Additionally, vulnerabilities exist in the txt_69735:/VemailAddress/value and txt_75767:/VemailFrom/value fields within the callrec/config. Exploitation of these vulnerabilities could allow an attacker to execute arbitrary JavaScript within the context of the user's browser.

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.