The following advisory describes an XSS vulnerability found in Skype for Business.
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
The vendor has released patches to address this vulnerability and has only provided these details in response to our query on the status: “implemented some changes in the latest version to sanitize HTML input”
One of Skype For Business features is the ability to send HTML code via chat and Skype For Business will render the HTML code.
The vulnerability allows an attacker to send malicious HTML code that will render and once the victim will click on the rendered picture he will redirect to a website of your choice.
Proof of Concept
You can use the following steps to recreate the vulnerability:
1. Copy and run the following massage in “jsfiddle.net“:
<xht:acronym style="font:7604% serif; font-family:roman; background-color:#FF0000;"><a href="//evil.com">X</a></xht:acronym>
2. Copy the executed HTML code (view screenshot jsfiddle.jpg)
3. Paste directly into the chat window of the victim, press enter.
4. The HTML code submitted has been executed correctly.