CVE-2022-22784

EPSS 1.37%
Published 18.05.2022 16:15:08
Last modified 21.11.2024 06:47:26
Source security@zoom.us
Teams watchlist Login
Open Login

The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly parse XML stanzas in XMPP messages. This can allow a malicious user to break out of the current XMPP message context and create a new message context to have the receiving users client perform a variety of actions.This issue could be used in a more sophisticated attack to forge XMPP messages from the server.

Affected products Warnungen 0 Metrics 4 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Zoom ≫ Meetings SwPlatformandroid Version < 5.10.0

Zoom ≫ Meetings SwPlatformiphone_os Version < 5.10.0

Zoom ≫ Meetings SwPlatformlinux Version < 5.10.0

Zoom ≫ Meetings SwPlatformmacos Version < 5.10.0

Zoom ≫ Meetings SwPlatformwindows Version < 5.10.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.37%	0.796

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov	5.5	8	4.9	AV:N/AC:L/Au:S/C:P/I:P/A:N
security@zoom.us	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE-91 XML Injection (aka Blind XPath Injection)

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is processed by an end system.

https://explore.zoom.us/en/trust/security/security-bulletin

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-22784

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-22784

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-22784

EUVD