Cross-site scripting (XSS) vulnerability through User-Agent header in Lync Server 2010

The Lync Server 2010 Web App page sends the User-Agent string of the web browser that makes a request. Because the string is not encoded in the output, it can be used maliciously to inject script into the webpage. 
To fix this issue, install the April 2016 cumulative update 4.0.7577.728 for Lync Server 2010, Web Components Server.


Article ID: 3155850 - Last Review: 05/20/2016 05:18:00 - Revision: 6.0

Microsoft Lync Server 2010 Enterprise Edition, Microsoft Lync Server 2010 Standard Edition

  • kbsurveynew kbtshoot kbexpertiseinter KB3155850