CVE-2021-34425 MEDIUM

CVE-2021-34425: Server Side Request Forgery in Zoom Client for Meetings chat

Vendor Zoom Video Communications Inc
Product Zoom Client for Meetings for Android
Published December 14, 2021
Last update September 17, 2024

CVSS base score

4.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

The Zoom Client for Meetings before version 5.7.3 (for Android, iOS, Linux, macOS, and Windows) contain a server side request forgery vulnerability in the chat\'s "link preview" functionality. In versions prior to 5.7.3, if a user were to enable the chat\'s "link preview" feature, a malicious actor could trick the user into potentially sending arbitrary HTTP GET requests to URLs that the actor cannot reach directly.

Key dates

02Disclosure timeline

December 14, 2021 CVE published
September 17, 2024 Record updated