CVE-2023-28603

Improper Access Control (CWE-284)

Published: Apr 11, 2023

010
CVSS 7.1EPSS 0.04%High
CVE info copied to clipboard

Zoom VDI client installer prior to 5.14.0 contains an improper access control vulnerability. A malicious user may potentially delete local files without proper permissions.

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2023-28603. See article

Jun 12, 2023 at 8:32 AM / explore.zoom.us
CVSS

A CVSS base score of 7.1 has been assigned.

Sep 19, 2024 at 8:20 PM / nvd
Static CVE Timeline Graph

Affected Systems

Zoom/virtual_desktop_infrastructure
+null more

Patches

Zoom
+null more

Links to Mitre Att&cks

T1546.004:
+null more

Attack Patterns

CAPEC-19: Embedding Scripts within Scripts
+null more

Vendor Advisory

Improper Access Control in Zoom VDI Client Installer
Zoom Id: ZSB-23011 Severity: High CVE Id: CVE-2023-28603 Published Date: 2023-04-11 Description Zoom VDI client installer prior to 5.14.0 contains an improper access control vulnerability. A malicious user may potentially delete local files without proper permissions. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download. Affected Products Zoom VDI Windows Meeting installer before version 5.14.0 Credits Reported by sim0nsecurity

References

Improper Access Control in Zoom VDI Client Installer
Zoom Id: ZSB-23011 Severity: High CVE Id: CVE-2023-28603 Published Date: 2023-04-11 Description Zoom VDI client installer prior to 5.14.0 contains an improper access control vulnerability. A malicious user may potentially delete local files without proper permissions. Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download. Affected Products Zoom VDI Windows Meeting installer before version 5.14.0 Credits Reported by sim0nsecurity

News

[Security News]Multiple Vulnerabilities in Clients of Video Conferencing Service “Zoom” (Page 1 / Total 1 Page): Security NEXT
The advisory was published in conjunction with the so-called “Patch Tuesday”, which is the second Tuesday of each month in US time when each company releases regular security updates. Video conferencing company Zoom has revealed 12 vulnerabilities in its products.
Rewterz Threat Advisory – Multiple Zoom Vulnerabilities
Zoom for Windows, Zoom Rooms, Zoom VDI Windows Meeting clients could allow a remote authenticated attacker to gain elevated privileges on the system, caused by improper input validation. Zoom for Windows clients could allow a remote attacker to bypass security restrictions, caused by an improper restriction of operations within the bounds of a memory buffer vulnerability.
NA - CVE-2023-28603 - Zoom VDI client installer prior to 5.14.0...
Zoom VDI client installer prior to 5.14.0 contains an improper access control vulnerability. A malicious user may potentially delete local files without proper permissions.
CVE-2023-28603
Severity Not Scored Description Zoom VDI client installer prior to 5.14.0 contains an improper access control vulnerability. A malicious user may potentially delete local files without proper permissions. Read more at https://www.tenable.com/cve/CVE-2023-28603
CVE-2023-28603
Zoom VDI client installer prior to 5.14.0 contains an improper access control vulnerability. A malicious user may potentially delete local files without proper permissions.
See 6 more articles and social media posts

CVSS V3.1

Attack Vector:Local
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:None
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI