Vulnerability Description
The Zoom IT installer for Windows (ZoomInstallerFull.msi) prior to version 4.6.10 deletes files located in %APPDATA%\Zoom before installing an updated version of the client. Standard users are able to write to this directory, and can write links to other directories on the machine. As the installer runs with SYSTEM privileges and follows these links, a user can cause the installer to delete files that otherwise cannot be deleted by the user.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zoom | It Installer | < 4.6.10 |
Related Weaknesses (CWE)
References
- https://support.zoom.us/hc/en-us/articles/201361953-New-Updates-for-WindowsBroken LinkVendor Advisory
- https://support.zoom.us/hc/en-us/articles/360043036451Broken LinkVendor Advisory
- https://support.zoom.us/hc/en-us/articles/360043036451-Security-CVE-2020-11443Broken LinkVendor Advisory
- https://support.zoom.us/hc/en-us/articles/201361953-New-Updates-for-WindowsBroken LinkVendor Advisory
- https://support.zoom.us/hc/en-us/articles/360043036451Broken LinkVendor Advisory
- https://support.zoom.us/hc/en-us/articles/360043036451-Security-CVE-2020-11443Broken LinkVendor Advisory
FAQ
What is CVE-2020-11443?
CVE-2020-11443 is a vulnerability with a CVSS score of 8.1 (HIGH). The Zoom IT installer for Windows (ZoomInstallerFull.msi) prior to version 4.6.10 deletes files located in %APPDATA%\Zoom before installing an updated version of the client. Standard users are able to...
How severe is CVE-2020-11443?
CVE-2020-11443 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-11443?
Check the references section above for vendor advisories and patch information. Affected products include: Zoom It Installer.