CVE-2023-36535

CVSS 7.1 HIGHEPSS 1.0%CWE-449

In short

Zoom clients before version 5.14.10 have a security flaw where the application trusts client-side checks instead of properly enforcing security rules on the server side. An authenticated user could exploit this to access information they shouldn't be able to see by manipulating their local application.

Technical detail

CWE-449 vulnerability in Zoom clients <5.14.10 where security decisions are enforced on the client rather than the server. An authenticated attacker can bypass client-side restrictions through network manipulation or application modification, resulting in unauthorized information disclosure without requiring additional authentication or privileges.

Summary generated and translated by AI from the official description.

Client-side enforcement of server-side security in Zoom clients before 5.14.10 may allow an authenticated user to enable information disclosure via network access.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Affected products

Zoom Video Communications, Inc. · Zoom Clients

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://explore.zoom.us/en/trust/security/security-bulletin/