CVE-2022-22784: 
Zoom Client vulnerability analysis and mitigation

The vulnerability CVE-2022-22784 affects the Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0. The vulnerability was discovered in February 2022 and involves improper parsing of XML stanzas in XMPP messages. This high-severity vulnerability has a CVSS score of 8.1 (NVD, CERT-EU).

The vulnerability is related to improper XML parsing in Zoom's chat functionality, which is built on top of the XMPP standard. The issue, dubbed 'XMPP Stanza Smuggling,' exploits parsing inconsistencies between XML parsers on Zoom's client and server. This allows an attacker to 'smuggle' arbitrary XMPP stanzas to the victim client, enabling them to break out of the current XMPP message context and create a new message context to have the receiving user's client perform various actions (Hacker News, Security Week).

A successful exploitation of this vulnerability could allow an attacker to forge XMPP messages appearing to come from the server. The attack requires no user interaction for success, with the only requirement being the ability to send messages to the victim over Zoom chat using the XMPP protocol. This could lead to the victim's client performing various unauthorized actions (Threatpost).

Zoom has patched this vulnerability in version 5.10.0 of the Zoom Client for Meetings. Users are strongly recommended to update their client software to this version or later to receive the security fixes (CERT-EU).

The vulnerability was discovered and reported by Ivan Fratric of Google Project Zero, who provided a detailed technical analysis of the issue. The discovery was part of a larger set of vulnerabilities found in Zoom's client software, highlighting the ongoing security scrutiny of video conferencing platforms (Security Week).