Vulnerability Note VU#794236
SkypeFind fails to properly sanitize user-supplied input
The Skype client does not properly filter user-supplied input that was received from the SkypeFind service. This vulnerability may allow an attacker to execute arbitrary code.
Skype is a peer-to-peer application that provides Voice over IP (VoIP) and Instant Messaging services. The Skype client is available for the Microsoft Windows, Apple OS X and Linux operating systems. SkypeFind allows users to review businesses. These reviews are viewable by others.
Skype does not properly filter input that was supplied to the SkypeFind full name field. An attacker may be able to exploit this vulnerability by injecting script into the full name field. When a user viewed the specially crafted SkypeFind profile, the script would be run in the Internet Explorer Local Machine Zone.
As explained in VU#248184, since the user-supplied script runs in the Local Machine Zone a remote unauthenticated attacker may be able to execute arbitrary code.
Skype has addressed this issue by filtering input supplied to the SkypeFind service.
Restrict access to the Skype URI
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Skype Technologies||Affected||-||06 Feb 2008|
CVSS Metrics (Learn More)
This vulnerability was made public by Aviv Raff.
This document was written by Ryan Giobbi.
- CVE IDs: CVE-2008-0582 CVE-2008-0583
- Date Public: 31 Jan 2008
- Date First Published: 13 Feb 2008
- Date Last Updated: 13 Feb 2008
- Document Revision: 38
If you have feedback, comments, or additional information about this vulnerability, please send us email.