CVE-2021-34419 - OpenCVE

In the Zoom Client for Meetings for Ubuntu Linux before version 5.1.0, there is an HTML injection flaw when sending a remote control request to a user in the process of in-meeting screen sharing. This could allow meeting participants to be targeted for social engineering attacks.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Zoom	Zoom Client For Meetings

Configuration 1 [-]

cpe:2.3:a:zoom:zoom_client_for_meetings:*:*:*:*:*:linux:*:*

References

Link	Resource
https://explore.zoom.us/en/trust/security/security-bulletin	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: Zoom

Published: 2021-11-12T00:00:00

Updated: 2021-11-11T22:59:34

Reserved: 2021-06-09T00:00:00

Link: CVE-2021-34419

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-11-11T23:15:09.667

Modified: 2021-11-16T18:39:56.267

Link: CVE-2021-34419

JSON object: View

Redhat Information

No data.

CWE

CWE-74

{"containers": {"cna": {"affected": [{"product": "Zoom Client for Meetings for Ubuntu Linux", "vendor": "Zoom Video Communications Inc", "versions": [{"lessThan": "5.1.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Danny de Weille and Rick Verdoes of hackdefense"}], "datePublic": "2021-11-12T00:00:00", "descriptions": [{"lang": "en", "value": "In the Zoom Client for Meetings for Ubuntu Linux before version 5.1.0, there is an HTML injection flaw when sending a remote control request to a user in the process of in-meeting screen sharing. This could allow meeting participants to be targeted for social engineering attacks."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"description": "Improper Encoding or Escaping of Output", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2021-11-11T22:59:34", "orgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", "shortName": "Zoom"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://explore.zoom.us/en/trust/security/security-bulletin"}], "source": {"discovery": "USER"}, "title": "HTML injection in Zoom Linux client", "x_legacyV4Record": {"CVE_data_meta": {"AKA": "Zoom Communications Inc", "ASSIGNER": "security@zoom.us", "DATE_PUBLIC": "2021-11-12T17:00:00.000Z", "ID": "CVE-2021-34419", "STATE": "PUBLIC", "TITLE": "HTML injection in Zoom Linux client"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Zoom Client for Meetings for Ubuntu Linux", "version": {"version_data": [{"version_affected": "<", "version_value": "5.1.0"}]}}]}, "vendor_name": "Zoom Video Communications Inc"}]}}, "credit": [{"lang": "eng", "value": "Danny de Weille and Rick Verdoes of hackdefense"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "In the Zoom Client for Meetings for Ubuntu Linux before version 5.1.0, there is an HTML injection flaw when sending a remote control request to a user in the process of in-meeting screen sharing. This could allow meeting participants to be targeted for social engineering attacks."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Encoding or Escaping of Output"}]}]}, "references": {"reference_data": [{"name": "https://explore.zoom.us/en/trust/security/security-bulletin", "refsource": "MISC", "url": "https://explore.zoom.us/en/trust/security/security-bulletin"}]}, "source": {"discovery": "USER"}}}}, "cveMetadata": {"assignerOrgId": "99b9af0d-a833-4a5d-9e2f-8b1324f35351", "assignerShortName": "Zoom", "cveId": "CVE-2021-34419", "datePublished": "2021-11-12T00:00:00", "dateReserved": "2021-06-09T00:00:00", "dateUpdated": "2021-11-11T22:59:34", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zoom:zoom_client_for_meetings:*:*:*:*:*:linux:*:*", "matchCriteriaId": "49B39D3B-962F-4E42-92C4-27A77CECA808", "versionEndExcluding": "5.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "In the Zoom Client for Meetings for Ubuntu Linux before version 5.1.0, there is an HTML injection flaw when sending a remote control request to a user in the process of in-meeting screen sharing. This could allow meeting participants to be targeted for social engineering attacks."}, {"lang": "es", "value": "En Zoom Client for Meetings para Ubuntu Linux versiones anteriores a 5.1.0, se presenta un fallo de inyecci\u00f3n de HTML cuando es enviada una petici\u00f3n de control remoto a un usuario en el proceso de compartir la pantalla en una reuni\u00f3n. Esto podr\u00eda permitir que participantes en la reuni\u00f3n sean objeto de ataques de ingenier\u00eda social"}], "id": "CVE-2021-34419", "lastModified": "2021-11-16T18:39:56.267", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security@zoom.us", "type": "Secondary"}]}, "published": "2021-11-11T23:15:09.667", "references": [{"source": "security@zoom.us", "tags": ["Vendor Advisory"], "url": "https://explore.zoom.us/en/trust/security/security-bulletin"}], "sourceIdentifier": "security@zoom.us", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}