Improperly constrained session cookies in Zoom Client for Meetings

Bulletin: ZSB-22007
CVEID: CVE-2022-22785
CVSS Severity: Medium
CVSS Score: 5.9
CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L

Description:

The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0 fails to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send a user’s Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0

Source:

Reported by Ivan Fratric of Google Project Zero

Revision	Date	Description
1.0	05/17/2022	Initial Publication

Improperly constrained session cookies in Zoom Client for Meetings

Subscribe for updates