Improper URL parsing in Zoom Clients

CVE-2022-28755

9.6CRITICAL

Key Information

Vendor: Zoom
Status: Zoom Client For Meetings (for Android, iOS, Linux, Mac OS, And Windows); Zoom Vdi Windows Meeting Clients
Vendor: CVE Published:; 11 August 2022

Summary

The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.11.0 are susceptible to a URL parsing vulnerability. If a malicious Zoom meeting URL is opened, the malicious link may direct the user to connect to an arbitrary network address, leading to additional attacks including the potential for remote code execution through launching executables from arbitrary paths.

Affected Version(s)

Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) < 5.11.0

Zoom VDI Windows Meeting Clients < 5.10.7

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Risk change from: 6.1 to: 9.6 - (CRITICAL)
Feb 22, 2024
Vulnerability published.
Aug 11, 2022
Vulnerability Reserved.
Apr 6, 2022

Collectors

NVD DatabaseMitre Database