Improper URL parsing in Zoom Clients
CVE-2022-28763

8.8HIGH

Key Information:

Vendor: Zoom
Status: Zoom Client For Meetings (for Android, iOS, Linux, Mac OS, And Windows); Zoom Vdi Windows Meeting Clients; Zoom Rooms For Conference Room (for Android, iOS, Linux, Mac OS, And Windows)
Vendor: CVE Published:; 31 October 2022

What is CVE-2022-28763?

The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.12.2 is susceptible to a URL parsing vulnerability. If a malicious Zoom meeting URL is opened, the malicious link may direct the user to connect to an arbitrary network address, leading to additional attacks including session takeovers.

Affected Version(s)

Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) < 5.12.2

Zoom Rooms for Conference Room (for Android, iOS, Linux, macOS, and Windows) < 5.12.2

Zoom VDI Windows Meeting Clients < 5.12.2

References

https://explore.zoom.us/en/trust/security/security-bulletin/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 31, 2022
Vulnerability Reserved
Apr 6, 2022