Zoom client application chat Giphy arbitrary file write [CVE-2020-6109]
CVE number – CVE-2020-6109
An exploitable path traversal vulnerability exists in the Zoom client, version 4.6.10 processes messages including animated GIFs. A specially crafted chat message can cause an arbitrary file write, which could potentially be abused to achieve arbitrary code execution. An attacker needs to send a specially crafted message to a target user or a group to exploit this vulnerability.
Vendor confirmed issue patched on 2020-04-21
Tested Versions
Zoom Client Application 4.6.10
CREDIT
Discovered by a member of Cisco Talos.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.