CVE-2023-24881: Microsoft Teams Information Disclosure Vulnerability

Overview

Severity

Medium (CVSS 6.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C

Category

Information Disclosure

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2023-May

Released

2023-05-09

Last Updated

2023-07-21

EPSS Score

0.28% (percentile: 51.1%)

FAQ

What type of information could be disclosed by this vulnerability? This vulnerability could disclose sensitive information, which might include a user's full trust token. How could an attacker exploit the vulnerability? In a network-based attack, an attacker could host a site containing malicious code. When a target accesses that site, it could force open a full trust application and potentially obtain a user's full trust token. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation of the vulnerability requires that a user navigate to a malicious site hosted on *.sharepoint.com.

Affected Products (1)

Microsoft Office

• Microsoft Teams

Security Updates (1)

• Release Notes

Acknowledgments

Dan Saunders with <a href="https://www.microsoft.com/">Microsoft</a>, Trevor Harris with <a href="https://www.microsoft.com/">Microsoft</a>

Revision History

• 2023-05-09: Information published.
• 2023-07-21: Removed one of the FAQs. This is an information change only.