AOL Instant Messenger URL refresh Tag XSS

medium Nessus Network Monitor Plugin ID 1247

Synopsis

The remote AOL Client may be coerced into running arbitrary HTML code

Description

The remote host is running AOL Instant Messenger (AIM). AIM is prone to an issue that may allow maliciously crafted HTML to perform unauthorized actions (such as adding entries to the buddy list) on behalf of the user of a vulnerable client. This condition is due to how the client handles aim: URIs. These actions will be taken without prompting or notifying the user. This issue was reported for versions of AIM running on Microsoft Windows and MacOS. The Linux version of this client is not affected.

Solution

Upgrade to the latest version of AOL Instant Messenger.

Plugin Details

Severity: Medium

ID: 1247

Published: 8/20/2004

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:H/RL:U/RC:X

Vulnerability Information

CPE: cpe:/a:aol:aim

Reference Information

CVE: CVE-2002-2169

BID: 5246