Vulnerability Note VU#393195
Yahoo! Messenger allows arbitrary users to be added to buddy list without proper authorization
Yahoo! Messenger is an instant messaging client. There is a vulnerability in Yahoo! Messenger that permits a remote user to add arbitrary users to the victim's buddy list.
Yahoo! Messenger allows users to view content only from users on their buddy list. An attacker could craft a message to exploit this vulnerability and add arbitrary users to the victim's buddy list. This message would have to be sent through Yahoo! servers, and could not be exploited peer-to-peer.
A remote user may be able to add users to the victim's buddy list. This can create a vector of attack for other vulnerabilities that require the victim to accept content from the attacker.
This vulnerability was fixed by a sever-side resolution in February 2002. No user action is required.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Yahoo||Affected||29 May 2002||05 Jun 2002|
CVSS Metrics (Learn More)
This vulnerablity was discovered by Scott Woodward <firstname.lastname@example.org>.
This document was written by Jason Rafail.
- CVE IDs: Unknown
- CERT Advisory: CA-2002-16
- Date Public: 21 Feb 2002
- Date First Published: 05 Jun 2002
- Date Last Updated: 10 Jun 2002
- Severity Metric: 15.19
- Document Revision: 16
If you have feedback, comments, or additional information about this vulnerability, please send us email.