CVE-2019-18223

Name of the Vulnerable Software and Affected Versions ZOOM International Call Recording version 6.3.1

Description The issue affects ZOOM International Call Recording, allowing for multiple authenticated stored XSS vulnerabilities. These vulnerabilities can be exploited via several fields in different forms, including the phoneNumber field in the User Edit or User Add form, the name field in the Role Add form, the name or number field in the Edit Group form, the tagKey or tagValue field in the Recording Rules Configuration, or the txt 69735:/VemailAddress/value or txt 75767:/VemailFrom/value field in callrec/config.

Recommendations For ZOOM International Call Recording version 6.3.1, consider disabling the vulnerable fields, such as phoneNumber, name, number, tagKey, tagValue, txt 69735:/VemailAddress/value, and txt 75767:/VemailFrom/value, in their respective forms until a patch is available. Restrict access to the User Edit, User Add, Role Add, Edit Group, and Recording Rules Configuration forms to minimize the risk of exploitation. Avoid using the vulnerable fields in the callrec/config section until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.