// For flags

CVE-2020-10146

Microsoft Teams displayName stored cross-site scripting vulnerability

Severity Score

5.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The Microsoft Teams online service contains a stored cross-site scripting vulnerability in the displayName parameter that can be exploited on Teams clients to obtain sensitive information such as authentication tokens and to possibly execute arbitrary commands. This vulnerability was fixed for all Teams users in the online service on or around October 2020.

El servicio en línea de Microsoft Teams contiene una vulnerabilidad de tipo cross-site scripting almacenado en el parámetro displayName que puede ser explotada en los clientes de Teams para conseguir información confidencial como tokens de autenticación y para ejecutar posiblemente comandos arbitrarios. Esta vulnerabilidad fue corregida para todos los usuarios de Teams en el servicio en línea sobre o alrededor de octubre de 2020

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
None
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-03-05 CVE Reserved
  • 2020-12-09 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-09-16 CVE Updated
  • 2024-09-16 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (1)
URL Tag Source
URL Date SRC
https://github.com/oskarsve/ms-teams-rce 2024-09-16
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Microsoft
Search vendor "Microsoft"
 Teams
Search vendor "Microsoft" for product "Teams"
 < 2020-10-29
Search vendor "Microsoft" for product "Teams" and version " < 2020-10-29"
-
Affected