- 196/2024
- High
Zoom has released security updates to fix several vulnerabilities across multiple Zoom products.
The addressed vulnerabilities could allow the attacker to conduct denial of service attacks, or gain elevated privileges to the affected system by sending a specially crafted request.
Sample of the addressed vulnerabilities:
1. Zoom Apps for Windows – Improper Input Validation (CVE-2024-27240):
- CVSS: 7.1
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Consequences: Gain Privileges
2. Zoom Workplace Apps and SDKs – Path Traversal (CVE-2024-39826):
- CVSS: 6.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Consequences: Obtain Information
Sample of affected products:
- Zoom Workplace Desktop App for Windows and macOS before version 6.0.10.
- Zoom Rooms App for Windows before version 6.0.6.
- Zoom Workplace VDI App for Windows before version 5.17.13.
- Zoom Meeting SDK for Windows before version 6.0.0.
Vulnerabilities
- CVE-2024-27240
- CVE-2024-27241
- CVE-2024-27238
- CVE-2024-39826
- CVE-2024-39827
- CVE-2024-39819
- CVE-2024-39820
- CVE-2024-39821
- CVE-2024-27245
- CVE-2024-27246
- CVE-2024-27239
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.