Vulnerability identifier: #VU13789
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Skype for Business
Client/Desktop applications /
Messaging software
Microsoft Lync
Client/Desktop applications /
Messaging software
Vendor: Microsoft
Description
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to improper validation of UNC path links shared via messages. A remote attacker can construct a specially crafted link to file, trick the victim into clicking on that link and execute arbitrary code on the target system with privileges of the current user.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Skype for Business: 2016
Microsoft Lync:
External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8238
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.