CVE-2008-0454: XSS
First published: Fri Jan 25 2008(Updated: )
Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.6.0.244, and earlier 3.5.x and 3.6.x versions, on Windows allows user-assisted remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Title field of a (1) Dailymotion and possibly (2) Metacafe movie in the Skype video gallery, accessible through a search within the "Add video to chat" dialog, aka "videomood XSS."
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft Windows | ||
| Internet Explorer | ||
| Microsoft Skype | <=3.6.0.244 | |
| Microsoft Skype | =3.5 | |
| Microsoft Skype | =3.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0363.html
- http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0337.html
- http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx
- http://www.critical.lt/?opinions/show/1470
- http://www.gnucitizen.org/blog/vulnerabilities-in-skype
- http://share.skype.com/sites/security/2008/01/skype_cross_zone_scripting_vul.html
- http://skype.com/security/skype-sb-2008-001-update1.html
- http://skype.com/security/skype-sb-2008-001.html
- http://www.kb.cert.org/vuls/id/248184
- http://www.securityfocus.com/bid/27338
- http://www.vupen.com/english/advisories/2008/0194
- https://exchange.xforce.ibmcloud.com/vulnerabilities/39754
- http://www.securityfocus.com/archive/1/486512/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2008-0454?
CVE-2008-0454 has a moderate severity rating due to its potential for cross-zone scripting exploits.
How do I fix CVE-2008-0454?
To fix CVE-2008-0454, update Skype to a version later than 3.6.0.244.
Which versions of Skype are affected by CVE-2008-0454?
CVE-2008-0454 affects Skype versions 3.5.x and earlier 3.6.x, including 3.6.0.244.
What type of attacks can be executed using CVE-2008-0454?
CVE-2008-0454 can allow remote attackers to inject arbitrary web scripts or HTML into the Local Machine Zone.
In which component does the CVE-2008-0454 vulnerability exist?
CVE-2008-0454 exists within the Internet Explorer web control used by Skype.
- collector/nvd-historical
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/references
- agent/last-modified-date
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/microsoft
- canonical/microsoft windows
- canonical/internet explorer
- vendor/skype technologies
- canonical/microsoft skype
- version/microsoft skype/3.6.0.244
- version/microsoft skype/3.5
- version/microsoft skype/3.6