Main Vulnerability Database SB2020040161

SB2020040161 - Information disclosure in Zoom client for Windows

Published: April 1, 2020 Updated: April 21, 2020

Security Bulletin ID SB2020040161

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Reliance on Untrusted Inputs in a Security Decision (CVE-ID: N/A)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to Zoom client for Windows automatically processes comments in chat and converts URLs with UNC path into links. A remote attacker can trick the victim into following this link and gain access to NTLM credentials, sent by the victim's system.

Remediation

Install update from vendor's website.

References

https://www.bleepingcomputer.com/news/security/zoom-client-leaks-windows-login-credentials-to-attackers/
https://support.zoom.us/hc/en-us/articles/201361953-New-Updates-for-Windows