CVSS: 9.3EPSS: 43%CPEs: 5EXPL: 0CVE-2008-0454
https://notcve.org/view.php?id=CVE-2008-0454
Cross-zone scripting vulnerability in the Internet Explorer web control in Skype 3.6.0.244, and earlier 3.5.x and 3.6.x versions, on Windows allows user-assisted remote attackers to inject arbitrary web script or HTML in the Local Machine Zone via the Title field of a (1) Dailymotion and possibly (2) Metacafe movie in the Skype video gallery, accessible through a search within the "Add video to chat" dialog, aka "videomood XSS." Vulnerabilidad de secuencias de comandos en zonas cruzadas en el control web Internet Explorer de Skype 3.6.0.244, y versiones anteriores 3.5.x y 3.6.x en Windows, permite a atacantes remotos con la complicidad del usuario inyectar secuencias de comandos web o HTML de su elección en la Zona de Máquina Local mediante el campo Title de un (1) Dailymotion y posiblemente (2) una película Metacafe en la galería de vídeos de Skype, accesible a través de una búsqueda dentro del diálogo "Add video to chat", también conocido como "videomood XSS". • http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0337.html http://archives.neohapsis.com/archives/fulldisclosure/2008-01/0363.html http://aviv.raffon.net/2008/01/17/SkypeCrosszoneScriptingVulnerability.aspx http://share.skype.com/sites/security/2008/01/skype_cross_zone_scripting_vul.html http://skype.com/security/skype-sb-2008-001-update1.html http://skype.com/security/skype-sb-2008-001.html http://www.critical.lt/?opinions/show/1470 http://www.gnucitizen.org/blog/vulnerabilit • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 87%CPEs: 18EXPL: 0CVE-2007-5989 – Skype URI Handler Remote Heap Corruption Vulnerability
https://notcve.org/view.php?id=CVE-2007-5989
Unspecified vulnerability in the skype4com URI handler in Skype before 3.6 GOLD allows remote attackers to execute arbitrary code via "short string values" that result in heap corruption. Vulnerabilidad no especificada en el manejador de URIs skype4com anterior a 3.6 GOLD permite a atacantes remotos ejecutar código de su elección mediante "valores de cadena cortos" que provocan una corrupción del montículo (heap). This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Skype. User interaction is required to exploit this vulnerability in that the target must visit a malicious page. The specific flaw exists within the 'skype4com' URI handler created by Skype during installation. When processing short string values through this handler an exploitable memory corruption may occur which can result in arbitrary code execution under the context of the current user. • http://osvdb.org/39170 http://secunia.com/advisories/27934 http://securityreason.com/securityalert/3440 http://securitytracker.com/id?1019056 http://www.securityfocus.com/archive/1/484703/100/0/threaded http://www.securityfocus.com/bid/26748 http://www.vupen.com/english/advisories/2007/4110 http://www.zerodayinitiative.com/advisories/ZDI-07-070.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •