CVE-2020-10146

CVE Database · CVE-2020-10146

CVE-2020-10146

· MEDIUMModified

CVSS v3.1

5.7

EPSS

1.89%

Published

Dec 8, 2020

Modified

Nov 21, 2024

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

The Microsoft Teams online service contains a stored cross-site scripting vulnerability in the displayName parameter that can be exploited on Teams clients to obtain sensitive information such as authentication tokens and to possibly execute arbitrary commands. This vulnerability was fixed for all Teams users in the online service on or around October 2020.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Weaknesses (CWE)

CWE-79CWE-79

Affected Products (1)

microsoft · teams (up to 2020-10-29)vulnerable

References (2)

https://github.com/oskarsve/ms-teams-rce

ExploitThird Party Advisory

https://github.com/oskarsve/ms-teams-rce

ExploitThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs