Overview
Yahoo! Messenger is an instant messaging client. There is a vulnerability in Yahoo! Messenger that permits a remote user to add arbitrary users to the victim's buddy list.
Description
Yahoo! Messenger allows users to view content only from users on their buddy list. An attacker could craft a message to exploit this vulnerability and add arbitrary users to the victim's buddy list. This message would have to be sent through Yahoo! servers, and could not be exploited peer-to-peer. |
Impact
A remote user may be able to add users to the victim's buddy list. This can create a vector of attack for other vulnerabilities that require the victim to accept content from the attacker. |
Solution
This vulnerability was fixed by a sever-side resolution in February 2002. No user action is required. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
Acknowledgements
This vulnerablity was discovered by Scott Woodward
This document was written by Jason Rafail.
Other Information
| CVE IDs: | None |
| CERT Advisory: | CA-2002-16 |
| Severity Metric: | 15.19 |
| Date Public: | 2002-02-21 |
| Date First Published: | 2002-06-05 |
| Date Last Updated: | 2002-06-10 15:49 UTC |
| Document Revision: | 16 |