#VU77150 Code Injection in Zoom Workplace Desktop App for Linux - CVE-2023-28598

Cybersecurity Help s.r.o.

Published: 2023-06-12

Vulnerability identifier: #VU77150

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-28598

CWE-ID: CWE-94

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Zoom Workplace Desktop App for Linux
Client/Desktop applications / Office applications

Vendor: Zoom Video Communications, Inc.

Description

The vulnerability allows a remote user to crash the application.

The vulnerability exists due to improper input validation when processing HTML code. A remote chat user can send a specially crafted HTML code into the application's chat and crash the Zoom application.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Zoom Workplace Desktop App for Linux: 5.1.418436.0628 - 5.13.7 683

External links
https://explore.zoom.us/en/trust/security/security-bulletin/#ZSB-23006

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Denial of service in Zoom Client for Linux