The Zoom Client prior to version 4.4.5 contains a default video setting that could result in unintended disclosure of video information to a third party. Though the referenced Zoom Client provides participants the option to disable the video camera when joining a Zoom meeting, the default is set to turn the camera on. A user who unintentionally joins a Zoom meeting -- such as through a phishing link -- could unexpectedly join a Zoom that meeting with camera turned on, resulting in a loss of confidentiality.
Zoom implemented in Client version 4.4.5 published July 14, 2019 a new Video Preview dialog that is presented to the user before joining a meeting. This dialog enables the user to join the meeting with or without video enabled and requires the user to set their desired default behavior for video. Zoom urges customers to install the latest Zoom Client release.
CVSS v3.0 Severity and Metrics
Base Score: 3.1 (Low Severity)
Attack Vector: Network
Attack Complexity: High (depends on conditions outside the attacker’s control)
Privileges Required: None
User Interaction: Required
Confidentiality: Low (impact limited to video information)
Vector String: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Note: CVSS score may differ from that published in NVD due to differences between analysts in impact assessment or other calculation components.