CVE-2008-0454 - OpenCVE

Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.6.0.244, and earlier 3.5.x and 3.6.x versions, on Windows allows user-assisted remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Title field of a (1) Dailymotion and possibly (2) Metacafe movie in the Skype video gallery, accessible through a search within the "Add video to chat" dialog, aka "videomood XSS."

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Microsoft	Internet Explorer Windows
Skype Technologies	Skype

Configuration 1 [-]

AND

cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*

OR	cpe:2.3:a:microsoft:internet_explorer::::::::
	cpe:2.3:a:skype_technologies:skype::::::::
	cpe:2.3:a:skype_technologies:skype:3.5:::::::*
	cpe:2.3:a:skype_technologies:skype:3.6:::::::*

No data.

References

Link	Providers
http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0337.html
http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0363.html
http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx
http://share.skype.com/sites/security/2008/01/skype_cross_zone_scripting_vul.html
http://skype.com/security/skype-sb-2008-001-update1.html
http://skype.com/security/skype-sb-2008-001.html
http://www.critical.lt/?opinions/show/1470
http://www.gnucitizen.org/blog/vulnerabilities-in-skype
http://www.kb.cert.org/vuls/id/248184
http://www.securityfocus.com/archive/1/486512/100/0/threaded
http://www.securityfocus.com/bid/27338
http://www.vupen.com/english/advisories/2008/0194
https://exchange.xforce.ibmcloud.com/vulnerabilities/39754

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2008-01-25T00:00:00

Updated: 2024-08-07T07:46:54.655Z

Reserved: 2008-01-24T00:00:00

Link: CVE-2008-0454

Vulnrichment

No data.

NVD

Status : Modified

Published: 2008-01-25T01:00:00.000

Modified: 2021-07-23T15:12:10.537

Link: CVE-2008-0454

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2008-01-17T00:00:00", "descriptions": [{"lang": "en", "value": "Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.6.0.244, and earlier 3.5.x and 3.6.x versions, on Windows allows user-assisted remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Title field of a (1) Dailymotion and possibly (2) Metacafe movie in the Skype video gallery, accessible through a search within the \"Add video to chat\" dialog, aka \"videomood XSS.\""}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-15T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "skype-addvideotochat-code-execution(39754)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39754"}, {"name": "20080117 Skype videomood XSS", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0337.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.critical.lt/?opinions/show/1470"}, {"name": "20080117 RE: Skype videomood XSS", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/486512/100/0/threaded"}, {"tags": ["x_refsource_MISC"], "url": "http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx"}, {"name": "20080117 Re: Skype videomood XSS", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0363.html"}, {"name": "27338", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/27338"}, {"name": "VU#248184", "tags": ["third-party-advisory", "x_refsource_CERT-VN"], "url": "http://www.kb.cert.org/vuls/id/248184"}, {"tags": ["x_refsource_MISC"], "url": "http://www.gnucitizen.org/blog/vulnerabilities-in-skype"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://skype.com/security/skype-sb-2008-001-update1.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://share.skype.com/sites/security/2008/01/skype_cross_zone_scripting_vul.html"}, {"name": "ADV-2008-0194", "tags": ["vdb-entry", "x_refsource_VUPEN"], "url": "http://www.vupen.com/english/advisories/2008/0194"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://skype.com/security/skype-sb-2008-001.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2008-0454", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.6.0.244, and earlier 3.5.x and 3.6.x versions, on Windows allows user-assisted remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Title field of a (1) Dailymotion and possibly (2) Metacafe movie in the Skype video gallery, accessible through a search within the \"Add video to chat\" dialog, aka \"videomood XSS.\""}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "skype-addvideotochat-code-execution(39754)", "refsource": "XF", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39754"}, {"name": "20080117 Skype videomood XSS", "refsource": "FULLDISC", "url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0337.html"}, {"name": "http://www.critical.lt/?opinions/show/1470", "refsource": "MISC", "url": "http://www.critical.lt/?opinions/show/1470"}, {"name": "20080117 RE: Skype videomood XSS", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/486512/100/0/threaded"}, {"name": "http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx", "refsource": "MISC", "url": "http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx"}, {"name": "20080117 Re: Skype videomood XSS", "refsource": "FULLDISC", "url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0363.html"}, {"name": "27338", "refsource": "BID", "url": "http://www.securityfocus.com/bid/27338"}, {"name": "VU#248184", "refsource": "CERT-VN", "url": "http://www.kb.cert.org/vuls/id/248184"}, {"name": "http://www.gnucitizen.org/blog/vulnerabilities-in-skype", "refsource": "MISC", "url": "http://www.gnucitizen.org/blog/vulnerabilities-in-skype"}, {"name": "http://skype.com/security/skype-sb-2008-001-update1.html", "refsource": "CONFIRM", "url": "http://skype.com/security/skype-sb-2008-001-update1.html"}, {"name": "http://share.skype.com/sites/security/2008/01/skype_cross_zone_scripting_vul.html", "refsource": "CONFIRM", "url": "http://share.skype.com/sites/security/2008/01/skype_cross_zone_scripting_vul.html"}, {"name": "ADV-2008-0194", "refsource": "VUPEN", "url": "http://www.vupen.com/english/advisories/2008/0194"}, {"name": "http://skype.com/security/skype-sb-2008-001.html", "refsource": "CONFIRM", "url": "http://skype.com/security/skype-sb-2008-001.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T07:46:54.655Z"}, "title": "CVE Program Container", "references": [{"name": "skype-addvideotochat-code-execution(39754)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39754"}, {"name": "20080117 Skype videomood XSS", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0337.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.critical.lt/?opinions/show/1470"}, {"name": "20080117 RE: Skype videomood XSS", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/486512/100/0/threaded"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx"}, {"name": "20080117 Re: Skype videomood XSS", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0363.html"}, {"name": "27338", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/27338"}, {"name": "VU#248184", "tags": ["third-party-advisory", "x_refsource_CERT-VN", "x_transferred"], "url": "http://www.kb.cert.org/vuls/id/248184"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.gnucitizen.org/blog/vulnerabilities-in-skype"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://skype.com/security/skype-sb-2008-001-update1.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://share.skype.com/sites/security/2008/01/skype_cross_zone_scripting_vul.html"}, {"name": "ADV-2008-0194", "tags": ["vdb-entry", "x_refsource_VUPEN", "x_transferred"], "url": "http://www.vupen.com/english/advisories/2008/0194"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://skype.com/security/skype-sb-2008-001.html"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2008-0454", "datePublished": "2008-01-25T00:00:00", "dateReserved": "2008-01-24T00:00:00", "dateUpdated": "2024-08-07T07:46:54.655Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*", "matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256", "vulnerable": false}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:internet_explorer:*:*:*:*:*:*:*:*", "matchCriteriaId": "8682FAF3-98E3-485C-89CB-C0358C4E2AB0", "vulnerable": true}, {"criteria": "cpe:2.3:a:skype_technologies:skype:*:*:*:*:*:*:*:*", "matchCriteriaId": "E42246D5-0D25-4630-84EF-A0B6CFE0AA72", "versionEndIncluding": "3.6.0.244", "vulnerable": true}, {"criteria": "cpe:2.3:a:skype_technologies:skype:3.5:*:*:*:*:*:*:*", "matchCriteriaId": "D09CC031-8F8F-4BC4-AEFF-4FD98411B272", "vulnerable": true}, {"criteria": "cpe:2.3:a:skype_technologies:skype:3.6:*:*:*:*:*:*:*", "matchCriteriaId": "AD01462B-281F-4299-8D85-3FC6E6D392A8", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.6.0.244, and earlier 3.5.x and 3.6.x versions, on Windows allows user-assisted remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Title field of a (1) Dailymotion and possibly (2) Metacafe movie in the Skype video gallery, accessible through a search within the \"Add video to chat\" dialog, aka \"videomood XSS.\""}, {"lang": "es", "value": "Vulnerabilidad de secuencias de comandos en zonas cruzadas en el control web Internet Explorer de Skype 3.6.0.244, y versiones anteriores 3.5.x y 3.6.x en Windows, permite a atacantes remotos con la complicidad del usuario inyectar secuencias de comandos web o HTML de su elecci\u00f3n en la Zona de M\u00e1quina Local mediante el campo Title de un (1) Dailymotion y posiblemente (2) una pel\u00edcula Metacafe en la galer\u00eda de v\u00eddeos de Skype, accesible a trav\u00e9s de una b\u00fasqueda dentro del di\u00e1logo \"Add video to chat\", tambi\u00e9n conocido como \"videomood XSS\"."}], "id": "CVE-2008-0454", "lastModified": "2021-07-23T15:12:10.537", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2008-01-25T01:00:00.000", "references": [{"source": "cve@mitre.org", "url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0337.html"}, {"source": "cve@mitre.org", "url": "http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0363.html"}, {"source": "cve@mitre.org", "url": "http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx"}, {"source": "cve@mitre.org", "url": "http://share.skype.com/sites/security/2008/01/skype_cross_zone_scripting_vul.html"}, {"source": "cve@mitre.org", "url": "http://skype.com/security/skype-sb-2008-001-update1.html"}, {"source": "cve@mitre.org", "url": "http://skype.com/security/skype-sb-2008-001.html"}, {"source": "cve@mitre.org", "url": "http://www.critical.lt/?opinions/show/1470"}, {"source": "cve@mitre.org", "url": "http://www.gnucitizen.org/blog/vulnerabilities-in-skype"}, {"source": "cve@mitre.org", "tags": ["US Government Resource"], "url": "http://www.kb.cert.org/vuls/id/248184"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/archive/1/486512/100/0/threaded"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/27338"}, {"source": "cve@mitre.org", "url": "http://www.vupen.com/english/advisories/2008/0194"}, {"source": "cve@mitre.org", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/39754"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}