| CVE Number | Vulnerability | Product | Severity | Date |
|---|---|---|---|---|
| MS15-123 | Security Update for Skype for Business and Microsoft Lync to Address Information Disclosure (3105872) | Microsoft Skype | Important | 11-11-2015 |
Technical Information
Brief overview of the risk:
This security update resolves a vulnerability in Skype for Business and Microsoft Lync. The vulnerability could allow information disclosure if an attacker invites a target user to an instant message session and then sends that user a message containing specially crafted JavaScript content.
Detailed Information on the risk:
An information disclosure vulnerability exists when Skype for Business and Microsoft Lync clients improperly sanitize specially crafted content. An attacker who successfully exploited the vulnerability could execute HTML and JavaScript content in the Skype for Business or Lync context. The attacker could use this vulnerability to open a webpage using the default browser, open another messaging session with a third party, or potentially trigger URIs that are defined by other applications on the client’s system.
Microsoft Skype for Business 2016Further information on this exploit is available at : MS15-123
Microsoft Lync 2013
Microsoft Lync 2010
Microsoft Lync Room System
Affected Software
Microsoft Skype for Business 2016Microsoft Lync 2013
Microsoft Lync 2010
Microsoft Lync Room System