PT-2019-13427 · Zoom · Zoom Client
Vakzz
·
Published
2019-07-12
·
Updated
2020-08-24
·
CVE-2019-13567
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Zoom Client versions prior to 4.4.53932.0709
Description
The issue allows remote code execution if the ZoomOpener daemon is running but the Zoom Client is not installed or cannot be opened. An attacker can exploit this by using a maliciously crafted launch URL. The ZoomOpener daemon can be removed by the Apple Malware Removal Tool (MRT) if it is enabled and has the 2019-07-10 MRTConfigData.
Recommendations
For Zoom Client versions prior to 4.4.53932.0709, update to version 4.4.53932.0709 or later to resolve the issue. As a temporary workaround, consider disabling the ZoomOpener daemon until a patch is available. Restrict access to any launch URLs that could potentially exploit the vulnerability to minimize the risk of exploitation.
Exploit
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zoom Client