7.5
HIGH

CVE-2018-15715

Published: 30/11/2018 Updated: 04/02/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

Vulnerability Summary

Zoom clients for Windows, MacOS and Linux security bypass

Zoom clients on Windows (before version 4.1.34814.1119), Mac OS (before version 4.1.34801.1116), and Linux (2.4.129780.0915 and below) are vulnerable to unauthorized message processing. A remote unauthenticated attacker can spoof UDP messages from a meeting attendee or Zoom server in order to invoke functionality in the target client. This allows the attacker to remove attendees from meetings, spoof messages from users, or hijack shared screens.

Zoom clients for Windows, MacOS and Linux could allow a remote attacker to bypass security restrictions, caused by improper message validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to remove attendees from meetings, spoof messages from users, or hijack shared screens.

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Complexity: LOW
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Vulnerability Trend

Affected Products

Vendor Product Versions
ZoomZoom2.4.129780.0915

Github Repositories

Awesome CVE PoC A curated list of CVE PoCs Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security Please read the contribution guidelines before contributing This repo is full of PoCs for CVEs If you enjoy this awesome list and would like to support it, check out my Patreon page :

Recent Articles

Critical Zoom Flaw Lets Hackers Hijack Conference Meetings
Threatpost • Lindsey O'Donnell • 29 Nov 2018

A serious vulnerability in Zoom’s desktop conferencing application could allow a remote attacker to hijack screen controls and kick attendees out of meetings.
Researchers at Tenable who on Thursday released a proof of concept exploit for the unauthorized command execution flaw said that bug exists in Zoom’s event messaging pump. The vulnerability, CVE-2018-15715, is “critical” in severity and has a CVSS 3.0 score of 9.9.
“This vulnerability could be exploited in a few scena...

References