Therefore, administrators who are aware of this risk, and have their users upgrade to a newer version of the Zoom Client, should do so as soon as possible. We are actively investigating this issue and are working closely with Google to get a patch out as soon as possible. We will post an update once the patch is released. XMPP stanzas can be parsed in different ways. Some of the most common ways are: parsed as XML, parsed as HTML, and parsed as XHTML. XMPP clients often have different modes with different preferences for how XMPP data is parsed. When you configure XMPP preferences for a given client, it is possible for the client to send the preferences instead of the actual content. An attacker with access to the XMPP server could exploit this by sending an XMPP message with an invalid XMPP preference setting. An attacker could send an XMPP message with an invalid preference setting to the client and trigger it to parse a different format than was intended. An attacker could also abuse this to send XMPP messages with HTML or XHTML content.
HTML parsing vulnerability
Administrators who are using the Zoom Client 3.2.4 should upgrade to a newer version as soon as possible, preferably 3.2.5 or later. This vulnerability does not affect the other Zoom clients that are not using XMPP for instant messaging.
Timeline
Published on: 05/18/2022 16:15:00 UTC
Last modified on: 05/27/2022 15:09:00 UTC