Detections
Analytics

MS15-104: Vulnerabilities in Skype for Business Server and Lync Server Could Allow Elevation of Privilege (3089952)

medium Nessus Plugin ID 85849

Language:

Synopsis

The remote host is affected by multiple vulnerabilities.

Description

The remote Windows host is missing a security update. It is, therefore, affected by multiple cross-site scripting vulnerabilities in Skype for Business Server and Lync Server :

 - A cross-site scripting vulnerability exists in Skype for Business Server and Lync Server due to a failure by the jQuery engine to properly sanitize specially crafted content. An unauthenticated, remote attacker can exploit this vulnerability by convincing a user to open a malicious URL, resulting in the execution of arbitrary script code in the user's browser to gain information from web sessions. (CVE-2015-2531)

 - A cross-site scripting vulnerability exists in Lync Server due to improper sanitization of specially crafted content. An unauthenticated, remote attacker can exploit this vulnerability by convincing a user to open a malicious URL, resulting in the execution of arbitrary script code in the user's browser to gain information from web sessions. (CVE-2015-2532)

 - A cross-site scripting vulnerability exists in Skype for Business Server and Lync Server due to improper sanitization of specially crafted content. A remote, unauthenticated attacker can exploit this by convincing a user to open a malicious URL, resulting in the execution of arbitrary script code in the user's browser to gain elevated privileges. (CVE-2015-2536)

Solution

Microsoft has released a set of patches for Microsoft Lync Server 2013 and Skype for Business Server 2015.

See Also

http://www.nessus.org/u?4e8b2f20

Plugin Details

Severity: Medium

ID: 85849

File Name: smb_nt_ms15-104.nasl

Version: 1.11

Type: local

Agent: windows

Published: 9/9/2015

Updated: 11/22/2019

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2015-2536

Vulnerability Information

CPE: cpe:/a:microsoft:lync_server, cpe:/a:microsoft:skype_for_business_server

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Ease: No known exploits are available

Patch Publication Date: 9/8/2015

Vulnerability Publication Date: 9/8/2015

Reference Information

CVE: CVE-2015-2531, CVE-2015-2532, CVE-2015-2536

BID: 76600, 76601, 76603

MSFT: MS15-104

MSKB: 3080352, 3080353, 3080355