CVE-2014-1823

Name of the Vulnerable Software and Affected Versions Microsoft Lync Server versions 2010 through 2013

Description The issue is related to a cross-site scripting (XSS) vulnerability, which allows an attacker to inject arbitrary web script or HTML via a crafted URL containing a valid meeting ID. This vulnerability is due to incorrect handling (sanitization) of specially crafted content. In the case of a successful exploit, an attacker may be able to execute scripts in the user's browser and gain access to web session information.

Recommendations For Microsoft Lync Server versions 2010 through 2013, consider restricting access to the Web Components Server as a temporary workaround until a patch is available. Avoid using crafted URLs that may trigger the vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.