CVE-2019-18223 — MEDIUM (5.4)

Vulnerability Description

ZOOM International Call Recording 6.3.1 suffers from multiple authenticated stored XSS vulnerabilities via the phoneNumber field in the (1) User Edit or (2) User Add form, (3) name field in the Role Add form, (4) name or number field in the Edit Group form, (5) tagKey or tagValue field in the Recording Rules Configuration, or (6) txt_69735:/VemailAddress/value or txt_75767:/VemailFrom/value field in callrec/config.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Eleveo	Call Recording	6.3.1

Related Weaknesses (CWE)

CWE-79

References

https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-18223-XSS-ZoomExploitThird Party Advisory
https://github.com/DrunkenShells/Disclosures/tree/master/CVE-2019-18223-XSS-ZoomExploitThird Party Advisory

FAQ

What is CVE-2019-18223?

CVE-2019-18223 is a vulnerability with a CVSS score of 5.4 (MEDIUM). ZOOM International Call Recording 6.3.1 suffers from multiple authenticated stored XSS vulnerabilities via the phoneNumber field in the (1) User Edit or (2) User Add form, (3) name field in the Role A...

How severe is CVE-2019-18223?

CVE-2019-18223 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-18223?

Check the references section above for vendor advisories and patch information. Affected products include: Eleveo Call Recording.