Main Vulnerability Database Vulnerabilities #VU13789

#VU13789 Improper input validation in Skype for Business and Microsoft Lync - CVE-2018-8238

Published: July 10, 2018 / Updated: July 10, 2018

Vulnerability identifier: #VU13789

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2018-8238

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Skype for Business
Microsoft Lync

Software vendor:
Microsoft

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to improper validation of UNC path links shared via messages. A remote attacker can construct a specially crafted link to file, trick the victim into clicking on that link and execute arbitrary code on the target system with privileges of the current user.

Remediation

Install updates from vendor's website.

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8238