CVE-2021-30480 Information

Description

Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat software which is different from the chat feature of the Zoom Meetings and Zoom Video Webinars software.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Reference

https://www.zdnet.com/article/critical-zoom-vulnerability-triggers-remote-code-execution-without-user-input/ https://twitter.com/thezdi/status/1379859851061395459 https://www.securityweek.com/200000-awarded-zero-click-zoom-exploit-pwn2own https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/04/zoom-zero-day-discovery-makes-calls-safer-hackers-200000-richer/ https://zoom.us/feature/messaging https://twitter.com/thezdi/status/1379855435730149378 https://www.zerodayinitiative.com/advisories/ZDI-21-971/ https://explore.zoom.us/en/trust/security/security-bulletin/ https://sector7.computest.nl/post/2021-08-zoom/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8