Information Disclosure in Zoom for Windows Clients
CVE-2023-22880

6.8MEDIUM

Key Information:

Vendor: Zoom
Status: Zoom For Windows; Zoom Rooms For Windows; Zoom Vdi For Windows
Vendor: CVE Published:; 16 March 2023

Summary

Zoom for Windows clients prior to version 5.13.3, Zoom Rooms for Windows clients before version 5.13.5, and Zoom VDI for Windows clients before version 5.13.1 are susceptible to an information disclosure flaw. This issue arises from a recent update to the Microsoft Edge WebView2 runtime utilized by Zoom, where sensitive text data was inadvertently sent to Microsoft's online Spellcheck service instead of being processed locally. To mitigate this vulnerability, users are advised to update their Zoom application to the latest version, which disables the problematic feature, and also ensure that their Microsoft Edge WebView2 runtime is updated to at least version 109.0.1481.0.

Affected Version(s)

Zoom for Windows < 5.13.3

Zoom Rooms for Windows < 5.13.3

Zoom VDI for Windows < 5.13.1

References

https://explore.zoom.us/en/trust/security/security-bulletin/

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Mar 16, 2023
Vulnerability Reserved
Jan 9, 2023