A remote code execution vulnerability exists when Skype for Business and Microsoft Lync Servers fail to properly sanitize specially crafted content.An authenticated attacker who successfully exploited this vulnerability could execute HTML and JavaScript content in the Skype for Business or Lync context. An attacker could use this vulnerability to open a web page using the default browser, open another messaging session with someone else, or potentially trigger other URIs defined on the clients system for another application.To exploit this vulnerability an attacker could invite a user to an instant message session and then send a message that contains specially crafted JavaScript content. The update addresses the vulnerability by correcting how Skype for Business and Lync Servers sanitize content.