The vulnerabilities, tracked as CVE-2020-6109 and CVE-2020-6110 and both rated high severity, have been described as path traversal issues that could ultimately lead to arbitrary code execution. One impacts Zoom 4.6.10, 4.6.11 and likely earlier versions, and one of them only affects 4.6.10 and earlier. Newer versions of the video conferencing app patch the flaws.
CVE-2020-6109 is related to the way Zoom processes GIF image files. The vulnerability allows an attacker to send a specially crafted message to a user or group and it would result in a file being written to any directory to which the current user can write files.
