CVE-2007-0768

Name of the Vulnerable Software and Affected Versions Yahoo! Messenger versions 8.1.0.209 and earlier

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the Contact Details functionality. These vulnerabilities allow user-assisted remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SRC attribute of an IMG element to the First Name, Last Name, and Nickname fields.

Recommendations For Yahoo! Messenger versions 8.1.0.209 and earlier, consider disabling the Contact Details functionality until a patch is available to prevent exploitation of the XSS vulnerabilities. Restrict access to the First Name, Last Name, and Nickname fields to minimize the risk of arbitrary web script or HTML injection. Avoid using the SRC attribute of an IMG element with a javascript: URI in these fields until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.