Microsoft Lync Server 2010 reachLocale Parameter XSS

medium Nessus Plugin ID 68880

Synopsis

A web application on the remote host has a cross-site scripting vulnerability.

Description

According to its self-reported version number, the version of Web Components Server (a component of Microsoft Lync 2010) has a cross-site scripting vulnerability. Input passed to the 'reachLocale' parameter of ReachJoin.aspx is not properly sanitized. An attacker could exploit this by tricking a user into requesting a specially crafted URL, resulting in arbitrary script code execution.

Solution

Install the Lync Server 2010, Web Components Server April 2011 update (KB2500441) or later.

See Also

http://foofus.net/?p=363

http://foofus.net/?page_id=372

https://support.microsoft.com/en-us/help/2500441/description-of-the-update-package-for-lync-server-2010-web-components

Plugin Details

Severity: Medium

ID: 68880

File Name: microsoft_lync_server_april_2011.nasl

Version: 1.8

Type: local

Agent: windows

Family: Windows

Published: 7/14/2013

Updated: 6/3/2021

Supported Sensors: Nessus Agent, Nessus

Vulnerability Information

CPE: cpe:/a:microsoft:lync_server:2010

Required KB Items: installed_sw/Microsft Lync

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/10/2011

Vulnerability Publication Date: 6/10/2011

Reference Information

BID: 48235

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990

IAVB: 2011-B-0074-S