Skype for Business and Lync Spoofing Vulnerability

medium Nessus Plugin ID 122869

Synopsis

The Microsoft Skype for Business or Microsoft Lync installation on the remote host is missing a security update.

Description

The Microsoft Skype for Business or Microsoft Lync installation on the remote host is missing a security update. It is, therefore, affected by the following vulnerability :

- A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected Skype for Business server. The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. (CVE-2019-0798)

Solution

Microsoft has released the following security updates to address this issue:
-KB4492302
-KB4492303

See Also

http://www.nessus.org/u?fae2b3b0

Plugin Details

Severity: Medium

ID: 122869

File Name: smb_nt_ms19_mar_skype.nasl

Version: 1.6

Type: local

Agent: windows

Published: 3/15/2019

Updated: 6/13/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2019-0798

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:microsoft:lync, cpe:/a:microsoft:skype_for_business

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/12/2019

Vulnerability Publication Date: 3/12/2019

Reference Information

CVE: CVE-2019-0798

IAVA: 2019-A-0076

MSFT: MS19-4492302, MS19-4492303

MSKB: 4492302, 4492303