CVE-2020-10146

CWE-79Cross-site Scripting (XSS)3 documents3 sources
Severity
5.4MEDIUM
EPSS
0.5%
top 33.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Microsoft Teams
Timeline
PublishedDec 9
Latest updateMay 24

Description

The Microsoft Teams online service contains a stored cross-site scripting vulnerability in the displayName parameter that can be exploited on Teams clients to obtain sensitive information such as authentication tokens and to possibly execute arbitrary commands. This vulnerability was fixed for all Teams users in the online service on or around October 2020.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:NExploitability: 2.1 | Impact: 3.6

Affected Packages2 packages

CVEListV5microsoft/teamsunspecifiedon or about October 2020
NVDmicrosoft/teams< 2020-10-29

🔴Vulnerability Details

2
GHSA
GHSA-8jq9-gwrr-4cqw: The Microsoft Teams online service contains a stored cross-site scripting vulnerability in the displayName parameter that can be exploited on Teams cl2022-05-24
CVEList
Microsoft Teams displayName stored cross-site scripting vulnerability2020-12-09
CVE-2020-10146 (MEDIUM CVSS 5.4) | The Microsoft Teams online service | cvebase.io