AOL Instant Messenger Arbitrary File Forced Download

high Nessus Network Monitor Plugin ID 1244

Synopsis

An attacker can silently download files to the remote AOL Client

Description

The remote host is running AOL Instant Messenger (AIM). A vulnerability has been discovered in AIM that could allow an attacker to force a user to download an attacker supplied file. If a vulnerable user has an option enabled that allows users to download files without a prompt, it may be possible to force the user to download a file. The file will be transferred without prompting the target user for authorization.

Solution

Disable the option which ignores file transfer prompts.

Plugin Details

Severity: High

ID: 1244

Published: 8/20/2004

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 7.2

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:W/RC:X

Vulnerability Information

CPE: cpe:/a:aol:aim

Reference Information

BID: 6259