Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:794236
HistoryFeb 13, 2008 - 12:00 a.m.

SkypeFind fails to properly sanitize user-supplied input

2008-02-1300:00:00
www.kb.cert.org
10

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

78.8%

JSON

Overview

The Skype client does not properly filter user-supplied input that was received from the SkypeFind service. This vulnerability may allow an attacker to execute arbitrary code.

Description

Skype is a peer-to-peer application that provides Voice over IP (VoIP) and Instant Messaging services. The Skype client is available for the Microsoft Windows, Apple OS X and Linux operating systems. SkypeFind allows users to review businesses. These reviews are viewable by others.

Skype does not properly filter input that was supplied to the SkypeFind full name field. An attacker may be able to exploit this vulnerability by injecting script into the full name field. When a user viewed the specially crafted SkypeFind profile, the script would be run in the Internet Explorer Local Machine Zone.

Impact

As explained in VU#248184, since the user-supplied script runs in the Local Machine Zone a remote unauthenticated attacker may be able to execute arbitrary code.

Solution

Skype has addressed this issue by filtering input supplied to the SkypeFind service.

Restrict access to the Skype URI

Blocking the skype: URI handler by using proxy servers or application firewalls may prevent some remote vulnerabilities in Skype from being exploited without user interaction.

Vendor Information

794236

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Skype Technologies Affected

Updated: February 06, 2008

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was made public by Aviv Raff.

This document was written by Ryan Giobbi.

Other Information

CVE IDs: CVE-2008-0582, CVE-2008-0583
Date Public: 2008-01-31 Date First Published:

Related

nessus 1
cvelist 2
prion 2
nvd 2
cve 2
nessus
nessus
Skype Web Content Zone Multiple Field Remote Code Execution (uncredentialed check)
2008-02-07 00:00:00
cvelist
cvelist
CVE-2008-0582
2008-02-05 02:00:00
CVE-2008-0583
2008-02-05 02:00:00
prion
prion
Cross site scripting
2008-02-05 03:00:00
Cross site scripting
2008-02-05 03:00:00
nvd
nvd
CVE-2008-0582
2008-02-05 03:00:00
CVE-2008-0583
2008-02-05 03:00:00
cve
cve
CVE-2008-0582
2008-02-05 03:00:00
CVE-2008-0583
2008-02-05 03:00:00

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

78.8%

JSON
Related for VU:794236
nessus1cvelist2prion2nvd2cve2