Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2008-0454

Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.6.0.244, and earlier 3.5.x and 3.6.x versions, on Windows allows user-assisted remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Title field of a (1) Dailymotion and possibly (2) Metacafe movie in the Skype video gallery, accessible through a search within the "Add video to chat" dialog, aka "videomood XSS."

Published

2008-01-25T01:00:00.000

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 9.3 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: COMPLETE
Integrity Impact: COMPLETE
Availability Impact: COMPLETE

Exploitability Score

8.6

Impact Score

10.0

Weaknesses

Type: Primary
CWE-79

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	microsoft	windows	*	No
Application	microsoft	internet_explorer	*	Yes
Application	skype_technologies	skype	≤ 3.6.0.244	Yes
Application	skype_technologies	skype	3.5	Yes
Application	skype_technologies	skype	3.6	Yes

References

http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0337.html ([email protected])
http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0363.html ([email protected])
http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx ([email protected])
http://share.skype.com/sites/security/2008/01/skype_cross_zone_scripting_vul.html ([email protected])
http://skype.com/security/skype-sb-2008-001-update1.html ([email protected])
http://skype.com/security/skype-sb-2008-001.html ([email protected])
http://www.critical.lt/?opinions/show/1470 ([email protected])
http://www.gnucitizen.org/blog/vulnerabilities-in-skype ([email protected])
http://www.kb.cert.org/vuls/id/248184 US Government Resource ([email protected])
http://www.securityfocus.com/archive/1/486512/100/0/threaded ([email protected])
http://www.securityfocus.com/bid/27338 ([email protected])
http://www.vupen.com/english/advisories/2008/0194 ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/39754 ([email protected])
http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0337.html (af854a3a-2127-422b-91ae-364da2661108)
http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0363.html (af854a3a-2127-422b-91ae-364da2661108)
http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx (af854a3a-2127-422b-91ae-364da2661108)
http://share.skype.com/sites/security/2008/01/skype_cross_zone_scripting_vul.html (af854a3a-2127-422b-91ae-364da2661108)
http://skype.com/security/skype-sb-2008-001-update1.html (af854a3a-2127-422b-91ae-364da2661108)
http://skype.com/security/skype-sb-2008-001.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.critical.lt/?opinions/show/1470 (af854a3a-2127-422b-91ae-364da2661108)
http://www.gnucitizen.org/blog/vulnerabilities-in-skype (af854a3a-2127-422b-91ae-364da2661108)
http://www.kb.cert.org/vuls/id/248184 US Government Resource (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/486512/100/0/threaded (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/27338 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2008/0194 (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/39754 (af854a3a-2127-422b-91ae-364da2661108)