Description

Skype for Business allows an unauthenticated attacker to send arbitrary requests to perform lookups on the internal network which is otherwise not accessible externally. An attacker may use this feature to perform SSRF (server-side request forgery) attacks on the server.

Remediation

Upgrade to the latest version of Skype for Business

References

Skype for Business Audit Part 2 - SKYPErimeterleak

Skype for Business Elevation of Privilege Vulnerability

Related Vulnerabilities

Dolibarr Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2019-19211)

ZenCart Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Vulnerability (CVE-2008-6985)

Moodle Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2014-3550)

Moodle Permissions, Privileges, and Access Controls Vulnerability (CVE-2011-4308)

IBM RTC Cross-site Scripting (XSS) Vulnerability (CVE-2020-4697)

Severity

High

Classification

CVE-2023-41763 CWE-918 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:L

Tags

Acumonitor SSRF Known Vulnerabilities