CVE-2023-22880

Name of the Vulnerable Software and Affected Versions Zoom for Windows clients versions 5.13.2 and earlier Zoom Rooms for Windows clients versions 5.13.4 and earlier Zoom VDI for Windows clients versions 5.13.0 and earlier

Description The issue is related to an information disclosure vulnerability due to insufficient protection of service data when transmitting text online instead of using the local service. This vulnerability may allow a remote attacker to gain unauthorized access to protected information. The vulnerability is caused by a recent update to the Microsoft Edge WebView2 runtime used by the affected Zoom clients, which transmitted text to Microsoft's online Spellcheck service instead of the local Windows Spellcheck.

Recommendations For Zoom for Windows clients versions 5.13.2 and earlier, update Zoom to version 5.13.3 or later to remediate the vulnerability by disabling the feature. For Zoom Rooms for Windows clients versions 5.13.4 and earlier, update Zoom to version 5.13.5 or later to remediate the vulnerability by disabling the feature. For Zoom VDI for Windows clients versions 5.13.0 and earlier, update Zoom to version 5.13.1 or later to remediate the vulnerability by disabling the feature. As an alternative, update Microsoft Edge WebView2 Runtime to at least version 109.0.1481.0 and restart Zoom to remediate the vulnerability by updating Microsoft's telemetry behavior.