4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.006 Low
EPSS
Percentile
78.8%
The Skype client does not properly filter user-supplied input that was received from the SkypeFind service. This vulnerability may allow an attacker to execute arbitrary code.
Skype is a peer-to-peer application that provides Voice over IP (VoIP) and Instant Messaging services. The Skype client is available for the Microsoft Windows, Apple OS X and Linux operating systems. SkypeFind allows users to review businesses. These reviews are viewable by others.
Skype does not properly filter input that was supplied to the SkypeFind full name
field. An attacker may be able to exploit this vulnerability by injecting script into the full name
field. When a user viewed the specially crafted SkypeFind profile, the script would be run in the Internet Explorer Local Machine Zone.
As explained in VU#248184, since the user-supplied script runs in the Local Machine Zone a remote unauthenticated attacker may be able to execute arbitrary code.
Skype has addressed this issue by filtering input supplied to the SkypeFind service.
Restrict access to the Skype URI
Blocking the skype:
URI handler by using proxy servers or application firewalls may prevent some remote vulnerabilities in Skype from being exploited without user interaction.
794236
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Updated: February 06, 2008
Affected
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
This vulnerability was made public by Aviv Raff.
This document was written by Ryan Giobbi.
CVE IDs: | CVE-2008-0582, CVE-2008-0583 |
---|---|
Date Public: | 2008-01-31 Date First Published: |