Microsoft Lync Server CVE-2014-4070 Cross Site Scripting Vulnerability

Bugtraq ID:	69579
Class:	Input Validation Error
CVE:	CVE-2014-4070
Remote:	Yes
Local:	No
Published:	Sep 09 2014 12:00AM
Updated:	Sep 17 2014 12:37PM
Credit:	Noam Rathaus, working with Beyond Security's SecuriTeam Secure Disclosure team
Vulnerable:
Not Vulnerable:

Microsoft Lync Server CVE-2014-4070 Cross Site Scripting Vulnerability

Microsoft Lync Server is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to obtain sensitive information from web sessions.

Microsoft Lync Server CVE-2014-4070 Cross Site Scripting Vulnerability

Attackers can exploit this issue by enticing an unsuspecting user into following a malicious URI.

Microsoft Lync Server CVE-2014-4070 Cross Site Scripting Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Microsoft Lync Server CVE-2014-4070 Cross Site Scripting Vulnerability

References:

• Microsoft Homepage (Microsoft)