Windows Information Disclosure Vulnerability

ID MS:CVE-2019-1172
Type mscve
Reporter Microsoft
Modified 2019-08-13T07:00:00


An information disclosure vulnerability exists in Azure Active Directory (AAD) Microsoft Account (MSA) during the login request session. An attacker who successfully exploited the vulnerability could take over a user's account.

To exploit the vulnerability, an attacker would have to trick a user into browsing to a specially crafted website, allowing the attacker to steal the user's token.

The security update addresses the vulnerability by correcting how MSA handles cookies.