4.3
CVSSv2

CVE-2019-13450

Published: 09/07/2019 Updated: 16/07/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Summary

In the Zoom Client up to and including 4.4.4 and RingCentral 7.0.136380.0312 on macOS, remote attackers can force a user to join a video call with the video camera active. This occurs because any web site can interact with the Zoom web server on localhost port 19421 or 19424. NOTE: a machine remains vulnerable if the Zoom Client was installed in the past and then uninstalled. Blocking exploitation requires additional steps, such as the ZDisableVideo preference and/or killing the web server, deleting the ~/.zoomus directory, and creating a ~/.zoomus plain file.

Vulnerability Trend

Affected Products

Vendor Product Versions
RingcentralRingcentral7.0.136380.0312
ZoomZoom4.4.4

Github Repositories

osgap Give OS functions to the browser Open, edit local files Open an url with Internet Explorer Not related to this project : a CVE from another project

Recent Articles

Apple Issues Silent Update Removing Zoom’s Hidden Server
Threatpost • Tara Seals • 11 Jul 2019

Apple has pushed a silent update to Mac users that removes a hidden web server from Zoom users’ machines.
The Zoom web- and video-conferencing service has come under scrutiny for its handling of a zero-day bug (CVE-2019–13450) found by researcher Jonathan Leitschuh, which would allow an attacker to hijack a user’s web camera without their permission. However, the researcher also flagged a concerning persistence feature in the service: Even if users uninstalled the Zoom client, the se...

Zoom Pushes Emergency Patch for Webcam Hijack Flaw
Threatpost • Tara Seals • 10 Jul 2019

After facing public outcry over its handling of a zero-day vulnerability in its collaboration client for Mac, the Zoom web- and video-conferencing service has rushed out an emergency patch.
The flaw (CVE-2019–13450), allows a malicious website to hijack a user’s web camera without their permission, putting at risk the 4 million workers that use Zoom for Mac. Researcher Jonathan Leitschuh explained that an outside adversary would need only to convince a user to visit a malicious website...

Zoom Zero-Day Bug Opens Mac Users to Webcam Hijacking
Threatpost • Tara Seals • 09 Jul 2019

A zero-day vulnerability in the Zoom client for Mac allows a malicious website to hijack a user’s web camera without their permission.
Up to 4 million workers that use the Zoom for Mac web-and videoconferencing service are at risk from a flaw in the collaboration client (CVE-2019–13450), according to researcher Jonathan Leitschuh (he noted that Mac users make up about 10 percent of Zoom’s customer base of 40+ million). An outside adversary would need only to convince a user to visit ...