{"vuid":"VU#393195","idnumber":"393195","name":"Yahoo! Messenger allows arbitrary users to be added to buddy list without proper authorization","keywords":["Yahoo","Messenger","arbitrary users","buddylist","authorization"],"overview":"Yahoo! Messenger is an instant messaging client. There is a vulnerability in Yahoo! Messenger that permits a remote user to add arbitrary users to the victim's buddy list.","clean_desc":"Yahoo! Messenger allows users to view content only from users on their buddy list. An attacker could craft a message to exploit this vulnerability and add arbitrary users to the victim's buddy list. This message would have to be sent through Yahoo! servers, and could not be exploited peer-to-peer.","impact":"A remote user may be able to add users to the victim's buddy list. This can create a vector of attack for other vulnerabilities that require the victim to accept content from the attacker.","resolution":"This vulnerability was fixed by a sever-side resolution in February 2002. No user action is required.","workarounds":"","sysaffected":"","thanks":"This vulnerablity was discovered by Scott Woodward <scott@phoenixtechie.com>.","author":"This document was written by Jason Rafail.","public":["h","t","t","p",":","/","/","o","n","l","i","n","e",".","s","e","c","u","r","i","t","y","f","o","c","u","s",".","c","o","m","/","a","r","c","h","i","v","e","/","1","/","2","5","7","5","8","4"],"cveids":[""],"certadvisory":"CA-2002-16","uscerttechnicalalert":null,"datecreated":"2002-02-22T19:51:06Z","publicdate":"2002-02-21T00:00:00Z","datefirstpublished":"2002-06-05T18:15:58Z","dateupdated":"2002-06-10T15:49:13Z","revision":16,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"15","cam_impact":"15","cam_easeofexploitation":"12","cam_attackeraccessrequired":"15","cam_scorecurrent":"15.1875","cam_scorecurrentwidelyknown":"18.984375","cam_scorecurrentwidelyknownexploited":"34.171875","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":15.1875,"vulnote":null}