Main Vulnerability Database Vulnerabilities #VU25795

Insufficient Session Expiration in Zoom administrator portal - #VU25795

Published: March 6, 2020

Vulnerability identifier: #VU25795

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-613

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Zoom Video Communications, Inc.

Affected software:
Zoom administrator portal

Detailed vulnerability description

The vulnerability allows a remote user to gain access to target system.

The vulnerability exists due to insufficient session expiration issue in Zoom Conference Room Connector services. A remote administrator with access to the connected device can access the room administration interface, even if this access is revoked by removing the user from the administrator group or by deleting the user altogether.

Remediation

Install updates from vendor's website.

Sources

https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0969

Insufficient Session Expiration in Zoom administrator portal - #VU25795

Detailed vulnerability description

Remediation

Sources

Please verify you're human