Vulnerability Name:

CVE-2008-0454 (CCN-39754)

Assigned:2008-01-17
Published:2008-01-17
Updated:2021-07-23
Summary:Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.6.0.244, and earlier 3.5.x and 3.6.x versions, on Windows allows user-assisted remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Title field of a (1) Dailymotion and possibly (2) Metacafe movie in the Skype video gallery, accessible through a search within the "Add video to chat" dialog, aka "videomood XSS."
CVSS v3 Severity:10.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
7.3 High (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
9.3 High (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
7.3 High (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-79
Vulnerability Consequences:Gain Access
References:Source: FULLDISC
Type: UNKNOWN
20080117 Skype videomood XSS

Source: FULLDISC
Type: UNKNOWN
20080117 Re: Skype videomood XSS

Source: MISC
Type: UNKNOWN
http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx

Source: CCN
Type: Aviv Raff On .NET Web site
No more videos for you. Come back when patch available!

Source: MITRE
Type: CNA
CVE-2008-0454

Source: MITRE
Type: CNA
CVE-2008-0583

Source: CCN
Type: Full-Disclosure Mailing List, Thu, 17 Jan 2008 09:59:13 +0200
Skype videomood XSS

Source: CONFIRM
Type: UNKNOWN
http://share.skype.com/sites/security/2008/01/skype_cross_zone_scripting_vul.html

Source: CONFIRM
Type: UNKNOWN
http://skype.com/security/skype-sb-2008-001-update1.html

Source: CCN
Type: SKYPE-SB/2008-001
Skype Cross Zone Scripting Vulnerability

Source: CONFIRM
Type: UNKNOWN
http://skype.com/security/skype-sb-2008-001.html

Source: MISC
Type: UNKNOWN
http://www.critical.lt/?opinions/show/1470

Source: MISC
Type: UNKNOWN
http://www.gnucitizen.org/blog/vulnerabilities-in-skype

Source: CCN
Type: US-CERT VU#248184
Skype does not properly filter input from external websites

Source: CERT-VN
Type: US Government Resource
VU#248184

Source: CCN
Type: US-CERT VU#794236
SkypeFind fails to properly sanitize user-supplied input

Source: CCN
Type: OSVDB ID: 42863
Skype Internet Explorer Web Control Dailymotion Title Field Cross-zone Scripting

Source: CCN
Type: OSVDB ID: 42864
Skype Internet Explorer Web Control Video Gallery Metacafe Movie Title Cross-zone Scripting

Source: CCN
Type: OSVDB ID: 42868
Skype Metacafe Pro Gallery Submitted Movie Multiple Field Cross-zone Scripting

Source: BUGTRAQ
Type: UNKNOWN
20080117 RE: Skype videomood XSS

Source: BID
Type: UNKNOWN
27338

Source: CCN
Type: BID-27338
Skype Web Content Zone Remote Code Execution Vulnerability

Source: CCN
Type: Skype Web site
Download the latest version of Skype

Source: VUPEN
Type: UNKNOWN
ADV-2008-0194

Source: XF
Type: UNKNOWN
skype-addvideotochat-code-execution(39754)

Source: XF
Type: UNKNOWN
skype-addvideotochat-code-execution(39754)

Vulnerable Configuration:Configuration 1:
  • cpe:/o:microsoft:windows:*:*:*:*:*:*:*:*
  • AND
  • cpe:/a:microsoft:internet_explorer:*:*:*:*:*:*:*:*
  • OR cpe:/a:skype_technologies:skype:3.5:*:*:*:*:*:*:*
  • OR cpe:/a:skype_technologies:skype:3.6:*:*:*:*:*:*:*
  • OR cpe:/a:skype_technologies:skype:*:*:*:*:*:*:*:* (Version <= 3.6.0.244)

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:26510
    V
    		Cross-zone scripting vulnerability in the Internet Explorer web control
    2014-10-20
    BACK
    microsoft windows *
    microsoft internet explorer *
    skype_technologies skype 3.5
    skype_technologies skype 3.6
    skype_technologies skype *