What is CVE-2019-3568?
WhatsApp VOIP Stack Buffer Overflow Vulnerability
This Vulnerability is a buffer overflow vulnerability in the WhatsApp VOIP stack that allows remote code execution of a series of specially crafted RTCP packets sent to a target phone number.
The attacker has secret spyware installed on the victim through mobile device vulnerabilities. Targeted for voice calls on the iPhone or Android is enough. The call is not necessary to be answered by the target. The call cannot be traced because the spyware deletes the incoming call information from the present logs. This vulnerability can allow the attacker to take remote access to the victim's device, including text messages, call recording, contact information, location information, microphone, and camera data.
Impact of CVE-2019-3568
This vulnerability affects the following:
- Whatsapp android version prior to v2.19.134
- Whatsapp business version prior to v2.19.44
- Whatsapp iOS prior to version v2.19.51
- Whatsapp for windows prior to version v2.18.348
- Whatsapp for Tizen prior to version v2.18.15
| CVE ID | CVE-2019-3568 |
| Vulnerability Name | WhatsApp VOIP Stack Buffer Overflow Vulnerability |
| Vendor | Meta Platform |
| Product | |
| Date added to the catalog | 2022-04-19 |
| Description | This vulnerability is a buffer overflow vulnerability in the WhatsApp VOIP stack that allows remote code execution of a series of specially crafted RTCP packets sent to a target phone number. |
| Severity (out of 10) | 9.8 (Critical) |
| Remediation | Users of WhatsApp are advised to upgrade to the latest version as soon as possible. The app can be updated through the google play store. |
What is CVE-2018-6882?
Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability
Zimbra is an enterprise-class calendar, mail, and collaboration solution built for the cloud, both for private and public. The interface is browser-based. It can run on any device: smartphone, tablet, and laptop.
A vulnerability named Cross-site scripting (XSS) in ZmMailMsgView.getAttachmentLinkHtml function in Zimbra Collaboration Suite in the package before 8.7 Patch1 and before 8.8.7 enables remote attackers to inject HTML or web script via an e-mail attachment that contains a content-location header. If an e-mail is opened that contains one or more attachments, a link (tag) is made for every attachment. Sanitization is not performed, and an attacker can influence the value of the header, resulting in an injection of the arbitrary javascript or HTML.
| CVE ID | CVE-2018-6882 |
| Vulnerability Name | Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability |
| Vendor | Zimbra |
| Product | Collaboration Suite (ZCS) |
| Date added to the catalog | 2022-04-19 |
| Description | Zimbra Collaboration Suite contains a vulnerability called cross-site scripting that allows an attacker to remotely inject arbitrary HTML or web script. |
| Severity (out of 10) | 6.1 (Medium) |
| Impact | This vulnerability was identified in ZCS version 8.8.7. This Vulnerability has affected all the ZCS versions from 8.5.0. |
| Remediation | This vulnerability can be fixed with Zimbra Collaboration Suite Version 8.8.7. |
Conclusion
These vulnerabilities will not be patched on time with the required remediations it can allow the attackers to remote access your device, including text messages, call recording, contact information, location information, microphone, and camera data.
