CVE-2022-28760 On-Premise Meeting Connector MMR 4.8.20220815 contains an improper access control vulnerability.

Meeting Connector is an extensible content management platform that enables meeting organizers to create, edit, and share documents and presentations. It is widely used in enterprises, government agencies, non-profit organizations, education, and healthcare. On March 13, 2019, Zoom released version 4.8.20220815.130 of MMR, which is the latest version at the time of publishing. There are two ways to install MMR in your organization. You can either download it from a URL directly from the Zoom website, or you could install it using a distribution package. If you used an installation package, you should immediately upgrade to the latest version. A recently discovered vulnerability in the on-premise version of MMR could be exploited by a malicious actor to obtain the audio and video feed of a meeting they were not authorized to join.

Summary

The on-premise version of MMR has a vulnerability in the on-premise client that could be exploited by a malicious actor to obtain the audio and video feed of an unauthorized meeting they were not authorized to join.

Summary of vulnerabilities

CVE-2022-28760: An issue was discovered in Zoom's on-premise version of MMR, which is version 4.8.20220815.130. The vulnerability could be exploited by a malicious actor to obtain the audio and video feed of a meeting they were not authorized to join. A malicious actor could also deactivate all other participants in the meeting, or disconnect them from the call.
Zoom has resolved this issue with its latest release 4.8.20220815.1302

Vulnerability overview

CVE-2022-28760 is a vulnerability that affects the on-premise version of MMR. It could be exploited by a malicious actor to obtain the audio and video feed of a meeting they were not authorized to join. This vulnerability can be problematic as it could lead to unauthorized access to sensitive information, such as sensitive documents or audio files during the meeting.

Vulnerability

A recently discovered vulnerability in the on-premise version of MMR could be exploited by a malicious actor to obtain the audio and video feed of a meeting they were not authorized to join.

Timeline

Published on: 10/14/2022 15:15:00 UTC
Last modified on: 10/18/2022 19:48:00 UTC

References

• https://explore.zoom.us/en/trust/security/security-bulletin/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-28760