Rapid7 Vulnerability & Exploit Database

Zoom: CVE-2019-13450: Information Disclosure (webcam) Vulnerability

Back to Search

Zoom: CVE-2019-13450: Information Disclosure (webcam) Vulnerability

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
Published
07/09/2019
Created
07/10/2019
Added
07/09/2019
Modified
07/18/2019

Description

In the Zoom Client through 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.

Solution(s)

  • zoom-cve-2019-13450-workaround
  • zoom-mac-upgrade-4_4_53932_0709

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;