Main Vulnerability Database Vulnerabilities #VU13789

Improper input validation in Skype for Business and Microsoft Lync - CVE-2018-8238

Published: July 10, 2018 / Updated: July 10, 2018

Vulnerability identifier: #VU13789

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2018-8238

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Microsoft

Affected software:
Skype for Business
Microsoft Lync

Detailed vulnerability description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to improper validation of UNC path links shared via messages. A remote attacker can construct a specially crafted link to file, trick the victim into clicking on that link and execute arbitrary code on the target system with privileges of the current user.

How to mitigate CVE-2018-8238

Install updates from vendor's website.

Sources

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8238

Improper input validation in Skype for Business and Microsoft Lync - CVE-2018-8238

Detailed vulnerability description

How to mitigate CVE-2018-8238

Sources

Please verify you're human