Improper URL parsing in Zoom Clients
CVE-2022-28755

9.6CRITICAL

Key Information:

Vendor: Zoom
Status: Zoom Client For Meetings (for Android, iOS, Linux, Mac OS, And Windows); Zoom Vdi Windows Meeting Clients
Vendor: CVE Published:; 11 August 2022

What is CVE-2022-28755?

The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.11.0 are susceptible to a URL parsing vulnerability. If a malicious Zoom meeting URL is opened, the malicious link may direct the user to connect to an arbitrary network address, leading to additional attacks including the potential for remote code execution through launching executables from arbitrary paths.

Affected Version(s)

Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) < 5.11.0

Zoom VDI Windows Meeting Clients < 5.10.7

References

https://explore.zoom.us/en/trust/security/security-bulletin/

x_refsource_MISC

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 11, 2022
Vulnerability Reserved
Apr 6, 2022