AOL Instant Messenger Arbitrary File Forced Download

High Nessus Network Monitor Plugin ID 1244

Synopsis

An attacker can silently download files to the remote AOL Client

Description

The remote host is running AOL Instant Messenger (AIM). A vulnerability has been discovered in AIM that could allow an attacker to force a user to download an attacker supplied file. If a vulnerable user has an option enabled that allows users to download files without a prompt, it may be possible to force the user to download a file. The file will be transferred without prompting the target user for authorization.

Solution

Disable the option which ignores file transfer prompts.

Plugin Details

Severity: High

ID: 1244

Published: 2004/08/20

Modified: 2018/09/16

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.6

Temporal Score: 7.2

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:W/RC:ND

CVSSv3

Base Score: 8.1

Temporal Score: 7.9

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:H/RL:W/RC:X

Vulnerability Information

CPE: cpe:/a:aol:aim

Reference Information

BID: 6259