CVE-2022-22785

Improperly constrained session cookies in Zoom Client for Meetings

CVSS 5.9 MEDIUMEPSS 3.5%

The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send an unsuspecting users Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L

Affected products

Zoom Video Communications Inc · Zoom Client for Meetings for Android Zoom Video Communications Inc · Zoom Client for Meetings for iOS Zoom Video Communications Inc · Zoom Client for Meetings for Linux Zoom Video Communications Inc · Zoom Client for Meetings for MacOS Zoom Video Communications Inc · Zoom Client for Meetings for Windows

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://explore.zoom.us/en/trust/security/security-bulletin