Zoom Developers released fixes for seven vulnerabilities in its desktop and mobile applications, including a critical error in the Windows client.
Critical error received ID CVE-2024-24691 (CVSS score 9.6), is described as incorrect input validation that could help an authenticated attacker escalate their privileges.
Advertisement
The following product versions are reported to be affected by the issue:
- Zoom Desktop for Windows up to version 5.16.5;
- Zoom VDI for Windows up to version 5.16.10 (except for versions 5.14.14 and 5.15.12);
- Zoom Rooms for Windows up to version 5.17.0;
- Zoom Meeting SDK for Windows up to version 5.16.5.
Although the description of the vulnerability does not indicate exactly how it can be exploited, it appears that the problem requires some kind of user interaction: clicking on a link, opening an attachment, or performing some other action.
In most cases, Zoom will prompt you to update to the latest version automatically. But the corrected version 5.17.7 for Windows can be downloaded and manually.
In addition to the critical vulnerability, the latest version of Zoom also fixes six other bugs.
Advertisement
- CVE-2024-24697: A vulnerability in 32-bit Zoom clients for Windows allows local access escalation of privileges using an untrusted search path;
- CVE-2024-24696: a chat vulnerability in Windows Zoom clients caused by incorrect input validation allows information disclosure;
- CVE-2024-24695: Similar to CVE-2024-24696, improper input validation in Zoom clients for Windows allows information disclosure;
- CVE-2024-24699: Another chat issue that may lead to information disclosure;
- CVE-2024-24690: An input validation vulnerability in some Zoom clients could lead to a denial of service.
- CVE-2024-24698: A flawed authentication issue in some Zoom clients allows information to be exposed via local access to privileged users.