A vulnerability was reported in Skype. A remote user can conduct cross-site scripting attacks.
18.104.22.168 and prior versions
The software does not properly filter HTML code from user-supplied input in the The "mobile phone" profile entry before displaying the input.
Skype suffers from a persistent Cross-Site Scripting vulnerability due to a lack of input validation and output sanitization of the "mobile phone" profile entry. Other input fields may also be affected.
The software does not properly filter HTML code from user-supplied input in the The "mobile phone" profile entry before displaying the input. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Skype software and will run in the security context of that application. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the application, access data recently submitted by the target user via web form to the application, or take actions on the application acting as the target user.
An attacker could trivially hijack session IDs of remote users and leverage the vulnerability to increase the attack vector to the underlying software and operating system of the victim.
Skype 22.214.171.124 (the current version) and earlier for Windows and Mac are affected. The Linux version is not affected.
Skype has now confirmed it is aware of the hole and has already developed a patch to be published within the next week. Skype provides a plausible explanation as to why the problem isn't immediately reproducible: to take advantage of it, the attacker must appear in the victim's list of frequent contacts.