CVE-2022-22785 MEDIUM

CVE-2022-22785: Improperly constrained session cookies in Zoom Client for Meetings

Vendor Zoom Video Communications Inc
Product Zoom Client for Meetings for Android
Published May 18, 2022
Last update September 17, 2024

CVSS base score

5.9/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L

What the vulnerability does

01Description

The Zoom Client for Meetings (for Android, iOS, Linux, MacOS, and Windows) before version 5.10.0 failed to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send an unsuspecting users Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.

Key dates

02Disclosure timeline

May 18, 2022 CVE published
September 17, 2024 Record updated