Information Disclosure in Zoom for Windows Clients

CVE-2023-22880

7.5HIGH

Key Information

Vendor: Zoom
Status: Zoom for Windows; Zoom Rooms for Windows; Zoom VDI for Windows
Vendor: CVE Published:; 16 March 2023

Summary

Zoom for Windows clients before version 5.13.3, Zoom Rooms for Windows clients before version 5.13.5 and Zoom VDI for Windows clients before 5.13.1 contain an information disclosure vulnerability. A recent update to the Microsoft Edge WebView2 runtime used by the affected Zoom clients, transmitted text to Microsoft’s online Spellcheck service instead of the local Windows Spellcheck. Updating Zoom remediates this vulnerability by disabling the feature. Updating Microsoft Edge WebView2 Runtime to at least version 109.0.1481.0 and restarting Zoom remediates this vulnerability by updating Microsoft’s telemetry behavior.

Affected Version(s)

Zoom for Windows < 5.13.3

Zoom Rooms for Windows < 5.13.3

Zoom VDI for Windows < 5.13.1

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Mar 16, 2023
Vulnerability Reserved.
Jan 9, 2023

Collectors

NVD DatabaseMitre Database