CVE-2020-10146: Microsoft Teams displayName stored cross-site scripting vulnerability
First published: Sun Dec 06 2020(Updated: )
The Microsoft Teams online service contains a stored cross-site scripting vulnerability in the displayName parameter that can be exploited on Teams clients to obtain sensitive information such as authentication tokens and to possibly execute arbitrary commands. This vulnerability was fixed for all Teams users in the online service on or around October 2020.
Credit: cret@cert.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Microsoft Teams | <2020-10-29 |
Remedy
This vulnerability was fixed for all Teams users in the online service on or around October 2020.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-10146?
CVE-2020-10146 is a stored cross-site scripting vulnerability in the displayName parameter of the Microsoft Teams online service.
How severe is CVE-2020-10146?
CVE-2020-10146 has a Medium severity with a CVSS score of 5.4.
How can CVE-2020-10146 be exploited?
CVE-2020-10146 can be exploited on Teams clients to obtain sensitive information and possibly execute arbitrary commands.
Has CVE-2020-10146 been fixed?
Yes, this vulnerability has been fixed for all Teams clients up to October 29, 2020.
How can I protect myself from CVE-2020-10146?
To protect yourself from CVE-2020-10146, make sure you are using the latest version of Microsoft Teams.
- agent/type
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/author
- agent/references
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/title
- agent/last-modified-date
- agent/tags
- agent/remedy
- agent/first-publish-date
- agent/event
- vendor/microsoft
- canonical/microsoft teams