Lucene search

CertccCVELIST:CVE-2020-10146

HistoryDec 09, 2020 - 12:30 a.m.

CVE-2020-10146 Microsoft Teams displayName stored cross-site scripting vulnerability

2020-12-0900:30:15

CWE-79

certcc

www.cve.org

microsoft teams

stored cross-site scripting

vulnerability

displayname parameter

sensitive information

authentication tokens

arbitrary commands

online service

october 2020

cve-2020-10146

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

5.9

Confidence

High

EPSS

0.001

Percentile

26.7%

JSON

The Microsoft Teams online service contains a stored cross-site scripting vulnerability in the displayName parameter that can be exploited on Teams clients to obtain sensitive information such as authentication tokens and to possibly execute arbitrary commands. This vulnerability was fixed for all Teams users in the online service on or around October 2020.

CNA Affected

[
  {
    "product": "Teams",
    "vendor": "Microsoft",
    "versions": [
      {
        "lessThan": "on or about October 2020",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/oskarsve/ms-teams-rce

CVSS3

5.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

AI Score

5.9

Confidence

High

EPSS

0.001

Percentile

26.7%

JSON

Related for CVELIST:CVE-2020-10146