KLA10657 Multiple vulnerabilities in Microsoft communication services

2015-09-0800:00:00

Kaspersky Lab

threats.kaspersky.com

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.6 Medium

AI Score

Confidence

Low

0.033 Low

EPSS

Percentile

91.4%

JSON

Improper content sanitization at jQuery engine and other vectors were found in Lync Server and Skype for Business Server. By exploiting these vulnerabilities malicious users can gain privileges or obtain sensitive information. These vulnerabilities can be exploited remotely via a specially designed web content. Clients connected to affected servers are also affected.

Original advisories

CVE-2015-2536

CVE-2015-2531

CVE-2015-2532

Related products

Microsoft-Lync-Server

CVE list

CVE-2015-2536 warning

CVE-2015-2531 warning

CVE-2015-2532 warning

KB list

3089952

3080353

3061064

Solution

Install necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)

Impacts

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.