CVE-2023-28599 in Zoominfo

Summary

by MITRE • 06/13/2023

Zoom clients prior to 5.13.10 contain an HTML injection vulnerability. A malicious user could inject HTML into their display name potentially leading a victim to a malicious website during meeting creation.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 04/25/2025

The vulnerability identified as CVE-2023-28599 represents a critical HTML injection flaw within Zoom client software versions prior to 5.13.10. This security weakness arises from insufficient input validation and sanitization mechanisms within the client application's display name handling functionality. The vulnerability specifically affects the meeting creation process where users can set their display names, creating an opportunity for malicious actors to exploit this gap in the application's security architecture. The flaw allows attackers to inject arbitrary HTML code into the display name field, which then gets rendered in the meeting interface, potentially exposing unsuspecting users to malicious web content. This type of vulnerability falls under the CWE-79 category of Cross-Site Scripting (XSS) and represents a significant risk to user security and privacy within the Zoom ecosystem.

The technical exploitation of this vulnerability occurs when a malicious user registers a display name containing HTML payload that includes malicious script tags or embedded web links. During meeting creation, when other participants view the meeting roster or interface, the injected HTML code executes in the context of the victim's browser session. This creates a vector for various attack scenarios including phishing attempts, credential theft, or redirection to malicious websites. The vulnerability demonstrates poor input sanitization practices where user-supplied content is not properly escaped or validated before being rendered in the client interface. The attack surface is particularly concerning as it leverages the trust relationship between participants in a Zoom meeting, making it difficult for victims to distinguish between legitimate and malicious content within the meeting environment.

The operational impact of CVE-2023-28599 extends beyond simple phishing attacks to potentially enable more sophisticated social engineering campaigns. Attackers can craft display names that appear legitimate while containing hidden malicious payloads, making the vulnerability particularly dangerous in corporate or educational environments where users may be less vigilant about unusual meeting participants. The vulnerability affects the core user experience and trust model of Zoom's platform, potentially leading to unauthorized access to sensitive meeting information, session hijacking, or the compromise of user credentials through credential harvesting techniques. From an attacker's perspective, this vulnerability provides a low-effort, high-impact method of gaining initial access to meeting participants' browsers and can serve as a launching point for more extensive attacks within the target organization's network.

Organizations and users should immediately upgrade to Zoom client version 5.13.10 or later to remediate this vulnerability. The patch addresses the input validation issue by implementing proper HTML sanitization and escaping mechanisms for display names, ensuring that user-supplied content cannot contain executable script elements. Security administrators should also implement network monitoring to detect potential exploitation attempts and consider temporary restrictions on meeting creation features until full remediation is achieved. The vulnerability highlights the importance of input validation and output encoding in client-side applications, aligning with ATT&CK technique T1059.007 for command and scripting interpreter. Organizations should also review their incident response procedures to prepare for potential exploitation of similar vulnerabilities and maintain updated threat intelligence feeds to monitor for related attack patterns targeting collaboration platforms.

Reservation

03/17/2023

Disclosure

06/13/2023

Moderation

accepted

CPE

ready

EPSS

0.00728

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!