CVE-2015-6061

Name of the Vulnerable Software and Affected Versions Microsoft Lync versions 2010 through 2013 SP1 Microsoft Skype for Business version 2016 Lync 2010 Attendee (affected versions not specified) Lync Room System (affected versions not specified)

Description The issue exists due to inadequate protection of the web page structure in Microsoft's instant messaging software. This allows a remote attacker to inject arbitrary web script or HTML code via an instant-message session.

Recommendations For Microsoft Lync versions 2010 through 2013 SP1, consider disabling instant messaging sessions until a patch is available. For Microsoft Skype for Business version 2016, restrict access to instant messaging features to minimize the risk of exploitation. For Lync 2010 Attendee and Lync Room System, at the moment, there is no information about a newer version that contains a fix for this vulnerability.