Vigil@nce - Microsoft Lync, Skype for Business: information disclosure
January 2016 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can inject JavaScript code in Microsoft Lync or Skype
for Business, in order read information of a web site.
Impacted products: Lync, Skype for Business.
Severity: 2/4.
Creation date: 10/11/2015.
DESCRIPTION OF THE VULNERABILITY
The Microsoft Lync or Skype for Business product offers an instant
message service.
However, an instant message containing JavaScript code is directly
interpreted, and can read data of private web services.
An attacker can therefore inject JavaScript code in Microsoft Lync
or Skype for Business, in order read information of a web site.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Microsoft-Lync-Skype-for-Business-information-disclosure-18288