A client-side cross site scripting web vulnerability has been discovered in the official Microsoft Skype Community online service web-application. The security vulnerability allows remote attackers to manipulate client-side application to browser requests to compromise session data/information.
The security vulnerability is located in the
filename value of the
Skype Community - t5/forums/postpage.messageeditorform.form.form.form module.
Remote attackers are able to inject malicious script codes to client-side application requests. Remote attackers are able to prepare special crafted
weblinks to execute client-side script code that compromises the skype community forum user/admin session data. The execution of the script code
occurs in the exception-handling of the upload POST method request. The attack vector of the vulnerability is located on the client-side of the
online-service and the request method to inject or execute the code is POST. Due to the testings and research we figured out that several high
class vendors using the commercial lithium web-application.
The security risk of the non-persistent cross site vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.7. Exploitation of the non-persistent cross site scripting web vulnerability requires a low privilege web application user account and low user interaction. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing, non-persistent external redirects, non-persistent load of malicious script codes or non-persistent web module context manipulation.
Request Method(s): [+] POST
Vulnerable Module(s): [+] Skype Community > t5/forums/
Vulnerable File(s): [+] t5/forums/postpage.messageeditorform.form.form.form
Vulnerable Parameter(s): [+] filename