Cross-site scripting (XSS) vulnerability through User-Agent header in Lync Server 2010
Content provided by Microsoft
Applies to: Lync Server 2010 Enterprise EditionLync Server 2010 Standard Edition
The Lync Server 2010 Web App page sends the User-Agent string of the web browser that makes a request. Because the string is not encoded in the output, it can be used maliciously to inject script into the webpage.