Yahoo! Messenger Shared File Access User Status Enumeration

Medium Nessus Network Monitor Plugin ID 1260

Synopsis

The remote host may give an attacker information useful for future attacks

Description

The remote host is running a version of Yahoo Instant Messenger that reveals whether a user is on-line or not regardless of whether the user is marked as being "invisible". This information can be determined by trying to access the user's shared files: a different error message is reported if the user is on-line than if the user is off-line.

Solution

Upgrade to the latest version of Yahoo! Messenger.

Plugin Details

Severity: Medium

ID: 1260

File Name: 1260.prm

Published: 2004/08/20

Modified: 2016/01/21

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 5

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:H/RL:U/RC:ND

CVSSv3

Base Score: 5.3

Temporal Score: 5.3

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS3#E:H/RL:U/RC:X

Vulnerability Information

CPE: cpe:/a:yahoo:messenger

Reference Information

BID: 6121

OSVDB: 62108