MicrosoftMS:CVE-2020-1462Skype for Business via Microsoft Edge (EdgeHTML-based) Information Disclosure Vulnerability
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
0.016 Low
EPSS
Percentile
87.3%
An information disclosure vulnerability exists when Skype for Business is accessed via Microsoft Edge (EdgeHTML-based). An attacker who exploited the vulnerability could cause the user to place a call without additional consent, leading to information disclosure of the user profile.
For the vulnerability to be exploited, a user must click a specially crafted URL that prompts the Skype app. In an email attack scenario, an attacker could exploit the vulnerability by sending an email message containing the specially crafted URL to the user and convincing the user to click the specially crafted URL.
The security update addresses the vulnerability by correcting how Microsoft Edge (EdgeHTML-based) handles URLs that are designed to use the Skype for Business app by requesting user permission before launching the app.
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
0.016 Low
EPSS
Percentile
87.3%