vulnerability

Zoom Zoom: CVE-2022-22785: Improperly constrained session cookies in Zoom Client for Meetings

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:L/Au:N/C:P/I:P/A:N)	May 17, 2022	Jan 8, 2025	Feb 9, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Published

May 17, 2022

Added

Jan 8, 2025

Modified

Feb 9, 2026

Description

The Zoom Client for Meetings (for Android, iOS, Linux, macOS, and Windows) before version 5.10.0 fails to properly constrain client session cookies to Zoom domains. This issue could be used in a more sophisticated attack to send a user’s Zoom-scoped session cookies to a non-Zoom domain. This could potentially allow for spoofing of a Zoom user.

Solution

zoom-zoom-upgrade-latest

References

CVE-2022-22785
https://attackerkb.com/topics/CVE-2022-22785
URL-https://www.zoom.com/en/trust/security-bulletin/ZSB-22007
CWE-565

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today