MS14-055 Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service
2014-09-09 This security update resolves three privately reported vulnerabilities in Microsoft Lync Server. The most severe of these vulnerabilities could allow information disclosure if user clicks on a specially crafted URL. In all cases, however, an attacker would have to convince users to click on the specially crafted URL, typically by getting them to click the URL in an email message or in an Instant Messenger request.
Vulnerabilities addressed in this bulletin:
Bulletin details at Microsoft.com
Vulnerabilities addressed in this bulletin:
- Lync Denial of Service Vulnerability
- A denial of service vulnerability exists in Lync Server. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding.
CVE-2014-4068 - Lync XSS Information Disclosure Vulnerability
- A reflected cross-site scripting (XSS) vulnerability which could result in information disclosure exists when Lync Server fails to properly sanitize specially crafted content. An attacker who successfully exploited this vulnerability could potentially execute scripts in the user’s browser to obtain information from web sessions.
CVE-2014-4070 - Lync Denial of Service Vulnerability
- A denial of service vulnerability exists in Lync Server. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding.
CVE-2014-4071
Bulletin details at Microsoft.com
Related CVE Entries
The Response Group Service in Microsoft Lync Server 2010 and 2013 and the Core Components in Lync Server 2013 do not properly handle exceptions, which allows remote attackers to cause a denial of service (daemon hang) via a crafted call, aka "Lync Denial of Service Vulnerability."
Max CVSS
5.0
EPSS Score
3.75%
Published
2014-09-10
Updated
2018-10-12
Cross-site scripting (XSS) vulnerability in the Web Components Server in Microsoft Lync Server 2013 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "Lync XSS Information Disclosure Vulnerability."
Max CVSS
4.3
EPSS Score
2.69%
Published
2014-09-10
Updated
2018-10-12
The Server in Microsoft Lync Server 2013 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon hang) via a crafted request, aka "Lync Denial of Service Vulnerability."
Max CVSS
5.0
EPSS Score
2.11%
Published
2014-09-10
Updated
2018-10-12