Skip to main content

Teams CVE-2020-10146

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2020-12-09 cret@cert.org
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 09, 2020 - 01:15 nvd
MEDIUM 5.4

DescriptionNVD

The Microsoft Teams online service contains a stored cross-site scripting vulnerability in the displayName parameter that can be exploited on Teams clients to obtain sensitive information such as authentication tokens and to possibly execute arbitrary commands. This vulnerability was fixed for all Teams users in the online service on or around October 2020.

AnalysisAI

The Microsoft Teams online service contains a stored cross-site scripting vulnerability in the displayName parameter that can be exploited on Teams clients to obtain sensitive information such as. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. The Microsoft Teams online service contains a stored cross-site scripting vulnerability in the displayName parameter that can be exploited on Teams clients to obtain sensitive information such as authentication tokens and to possibly execute arbitrary commands. This vulnerability was fixed for all Teams users in the online service on or around October 2020. Affected products include: Microsoft Teams.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

More in Teams

View all
CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2023-4863 HIGH POC
8.8 Sep 12

Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to

CVE-2026-42835 HIGH
8.1 Jun 09

Information disclosure in Microsoft Teams for Android allows an authenticated remote attacker to extract sensitive data

CVE-2023-29330 HIGH
8.8 Aug 08

Microsoft Teams Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely expl

CVE-2023-29328 HIGH
8.8 Aug 08

Microsoft Teams Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely expl

CVE-2026-21535 HIGH
8.2 Feb 19

Microsoft Teams contains an access control vulnerability that enables unauthenticated remote attackers to extract sensit

CVE-2020-17091 HIGH
7.8 Nov 11

Microsoft Teams Remote Code Execution Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is no authentica

CVE-2019-5922 HIGH
7.8 Mar 12

Untrusted search path vulnerability in The installer of Microsoft Teams allows an attacker to gain privileges via a Troj

CVE-2025-53783 HIGH
7.5 Aug 12

Heap-based buffer overflow in Microsoft Teams allows an unauthorized attacker to execute code over a network. Rated high

CVE-2025-49737 HIGH
7.0 Jul 08

Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Teams allows an

Share

CVE-2020-10146 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy