icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

AOL Instant Messenger URL refresh Tag XSS

Medium

Synopsis

The remote AOL Client may be coerced into running arbitrary HTML code

Description

The remote host is running AOL Instant Messenger (AIM). AIM is prone to an issue that may allow maliciously crafted HTML to perform unauthorized actions (such as adding entries to the buddy list) on behalf of the user of a vulnerable client. This condition is due to how the client handles aim: URIs. These actions will be taken without prompting or notifying the user. This issue was reported for versions of AIM running on Microsoft Windows and MacOS. The Linux version of this client is not affected.

Solution

Upgrade to the latest version of AOL Instant Messenger.