CVE-2022-24522: Skype Extension for Chrome Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 6.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Mar

Released

2022-03-08

Last Updated

2022-05-16

EPSS Score

2.46% (percentile: 85.3%)

FAQ

How can I get the update for Skype Extension for Chrome? The Skype Extension for Chrome is available in the Chrome Web Store. Open the Chrome Web Store and type "Skype" into the search box. Scroll down to Extensions. The Skype Extension will be the first on the list Click on the Add to Chrome button. What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the target's Skype ID. If an attacker gains access to that ID they could potentially match it within Skype to a name and Avatar for the user. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? A targeted user would need to visit a malicious user's website using Chrome with this Extension while the user is logged into a Microsoft account.

Affected Products (1)

Microsoft Office

• Skype Extension for Chrome

Security Updates (1)

• Release Notes

Acknowledgments

<a href="https://palant.info/">Wladimir Palant</a>

Revision History

• 2022-03-08: Information published.
• 2022-05-16: Updated one or more CVSS scores for the affected products. This is an informational change only.