PT-2012-26: Remote JS Code Execution in qutIM Vulnerable softwarequtIM Version: 0.3 and earlierLink: http://qutim.org/Severity levelSeverity level: Medium Impact: JS Code Execution Access Vector: Remote CVSS v2: Base Score: 5.4 Vector: (AV:A/AC:M/Au:N/C:P/I:P/A:P)CVE: not assignedSoftware descriptionqutIM is a free open source multiprotocol (ICQ, Jabber, Mail.Ru, IRC, VKontakte) IM client for Windows, Linux, MacOS X, OS/2, Symbian, Maemo/MeeGo, Solaris and *BSD. Vulnerability descriptionThe specialists of the Positive Research center have detected "Unauthorized Remote JS Code Execution" vulnerability in qutIM.The vulnerability allows an attacker to send a specially crafted massage with JS code, and will potentially be executed on the recipient’s side. Example:How to fixUpdate your software up to the latest versionAdvisory status14.08.2012 - Vendor is notified 14.08.2012 - Vendor gets vulnerability details 23.09.2013 - Vendor releases fixed version and details 08.10.2013 - Public disclosureCreditsThe vulnerability was detected by Mikhail Firstov, Positive Research Center (Positive Technologies Company)Referenceshttp://en.securitylab.ru/lab/PT-2012-26 Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/