Skype Extras Manager (skypePM.exe) skype-plugin: URI Arbitrary XML File Deletion (uncredentialed check)
Medium Nessus Plugin ID 50597
SynopsisThe remote Skype client allows deletion of arbitrary XML files.
DescriptionAccording to its timestamp, the version of Skype installed on the remote host likely includes a version of the Skype Extras Manager (skypePM.exe) that has a flaw in its handling of the 'skype-plugin:' protocol.
If an attacker can trick a user on the affected system into clicking on a specially crafted link, an arbitrary '.xml' file could be deleted on the affected system subject to the user's privileges.
SolutionUpgrade to Skype 184.108.40.206 or later as that is reported to address the issue.