Executive Summary
Summary | |
---|---|
Title | SkypeFind fails to properly sanitize user-supplied input |
Informations | |||
---|---|---|---|
Name | VU#794236 | First vendor Publication | 2008-02-13 |
Vendor | VU-CERT | Last vendor Modification | 2008-02-13 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 4.3 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Medium |
Cvss Expoit Score | 8.6 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#794236SkypeFind fails to properly sanitize user-supplied inputOverviewThe Skype client does not properly filter user-supplied input that was received from the SkypeFind service. This vulnerability may allow an attacker to execute arbitrary code.I. DescriptionSkype is a peer-to-peer application that provides Voice over IP (VoIP) and Instant Messaging services. The Skype client is available for the Microsoft Windows, Apple OS X and Linux operating systems. SkypeFind allows users to review businesses. These reviews are viewable by others.Skype does not properly filter input that was supplied to the SkypeFind full name field. An attacker may be able to exploit this vulnerability by injecting script into the full name field. When a user viewed the specially crafted SkypeFind profile, the script would be run in the Internet Explorer Local Machine Zone. Restrict access to the Skype URI
References
This vulnerability was made public by Aviv Raff. This document was written by Ryan Giobbi.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/794236 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-94 | Failure to Control Generation of Code ('Code Injection') |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:26506 | |||
Oval ID: | oval:org.mitre.oval:def:26506 | ||
Title: | Cross-zone scripting vulnerability | ||
Description: | Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.1 through 3.6.0.244 on Windows allows remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Full Name field of a reviewer of a business item entry, accessible through (1) the SkypeFind dialog and (2) a skype:?skypefind URI for the skype: URI handler. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2008-0582 | Version: | 3 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows 8.1 | Product(s): | Skype |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:26528 | |||
Oval ID: | oval:org.mitre.oval:def:26528 | ||
Title: | Cross-zone scripting vulnerability | ||
Description: | Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.6.0.244, and earlier 3.5.x and 3.6.x versions, on Windows allows user-assisted remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Description and unspecified other metadata fields of a Metacafe movie submitted by Metacafe Pro to the Skype video gallery, accessible through a search within the (1) "Add video to chat" or (2) "Add video to mood" dialog, a different vector than CVE-2008-0454. | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2008-0583 | Version: | 3 |
Platform(s): | Microsoft Windows 2000 Microsoft Windows 7 Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Vista Microsoft Windows XP Microsoft Windows 8 Microsoft Windows 8.1 | Product(s): | Skype |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
42868 | Skype Metacafe Pro Gallery Submitted Movie Multiple Field Cross-zone Scripting |
42865 | Skype Business Item Entry Reviewer Full Name Field Cross-zone Scripting |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2008-02-07 | Name : The remote Skype client is affected by a remote code execution issue through ... File : skype_2008_001.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2013-05-11 00:57:23 |
|