CVE-2015-2531

Name of the Vulnerable Software and Affected Versions Microsoft Lync Server 2013 Skype for Business Server 2015

Description The issue exists due to insufficient protection of the web page structure in the jQuery component of Microsoft Lync Server and Skype for Business Server. This allows a remote attacker to inject arbitrary web or HTML code using a specially crafted URL. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations For Microsoft Lync Server 2013, update to a version that includes the fix for this issue. For Skype for Business Server 2015, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the jQuery engine in the affected servers until a patch is available.