MS14-055  Vulnerabilities in Microsoft Lync Server Could Allow Denial of Service

2014-09-09 This security update resolves three privately reported vulnerabilities in Microsoft Lync Server. The most severe of these vulnerabilities could allow information disclosure if user clicks on a specially crafted URL. In all cases, however, an attacker would have to convince users to click on the specially crafted URL, typically by getting them to click the URL in an email message or in an Instant Messenger request.
Vulnerabilities addressed in this bulletin:
Lync Denial of Service Vulnerability
A denial of service vulnerability exists in Lync Server. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding.
CVE-2014-4068
Lync XSS Information Disclosure Vulnerability
A reflected cross-site scripting (XSS) vulnerability which could result in information disclosure exists when Lync Server fails to properly sanitize specially crafted content. An attacker who successfully exploited this vulnerability could potentially execute scripts in the user’s browser to obtain information from web sessions.
CVE-2014-4070
Lync Denial of Service Vulnerability
A denial of service vulnerability exists in Lync Server. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding.
CVE-2014-4071

Bulletin details at Microsoft.com

Related CVE Entries

CVE-2014-4068

The Response Group Service in Microsoft Lync Server 2010 and 2013 and the Core Components in Lync Server 2013 do not properly handle exceptions, which allows remote attackers to cause a denial of service (daemon hang) via a crafted call, aka "Lync Denial of Service Vulnerability."
Max CVSS
5.0
EPSS Score
3.75%
Published
2014-09-10
Updated
2018-10-12

CVE-2014-4070

Cross-site scripting (XSS) vulnerability in the Web Components Server in Microsoft Lync Server 2013 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "Lync XSS Information Disclosure Vulnerability."
Max CVSS
4.3
EPSS Score
2.69%
Published
2014-09-10
Updated
2018-10-12

CVE-2014-4071

The Server in Microsoft Lync Server 2013 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon hang) via a crafted request, aka "Lync Denial of Service Vulnerability."
Max CVSS
5.0
EPSS Score
2.11%
Published
2014-09-10
Updated
2018-10-12
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!
Accept Close