Microsoft Lync Server 2010 reachLocale Parameter XSS
Medium Nessus Plugin ID 68880
SynopsisA web application on the remote host has a cross-site scripting vulnerability.
DescriptionAccording to its self-reported version number, the version of Web Components Server (a component of Microsoft Lync 2010) has a cross-site scripting vulnerability. Input passed to the 'reachLocale' parameter of ReachJoin.aspx is not properly sanitized. An attacker could exploit this by tricking a user into requesting a specially crafted URL, resulting in arbitrary script code execution.
SolutionInstall the Lync Server 2010, Web Components Server April 2011 update (KB2500441) or later.