Medium

Analysis Summary

CVE-2024-39826 CVSS:6.8

Zoom Workplace Apps and SDKs could allow a remote authenticated attacker to traverse directories on the system, caused by a flaw in Team Chat. An attacker could send a specially crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.

CVE-2024-39827 CVSS:5.5

Zoom Workplace Desktop App for Windows is vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.

CVE-2024-27238 CVSS:4.4

Zoom Apps and SDKs could allow a local authenticated attacker to gain elevated privileges on the system, caused by a race condition in the installer. By sending a specially crafted request, an attacker could exploit this vulnerability to gain elevated privileges.

CVE-2024-27240 CVSS:7.1

Zoom Apps for Windows could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper input validation. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges.

CVE-2024-27241 CVSS:4.3

Zoom Apps and SDKs are vulnerable to a denial of service, caused by improper input validation. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.

Impact

• Information Disclosure
• Denial of Service
• Privilege Escalation

Indicators of Compromise

CVE

• CVE-2024-39826
• CVE-2024-39827
• CVE-2024-27238
• CVE-2024-27240
• CVE-2024-27241

Affected Vendors

Remediation

Refer to Zoom Security Advisory for patch, upgrade or suggested workaround information.

Zoom Security Advisory