CVE-2020-10146 MEDIUM

CVE-2020-10146: Microsoft Teams displayName stored cross-site scripting vulnerability

Vendor Microsoft
Product Teams
Weakness CWE-79 · XSS
Published December 9, 2020
Last update September 16, 2024
View on NVD All CVEs

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The Microsoft Teams online service contains a stored cross-site scripting vulnerability in the displayName parameter that can be exploited on Teams clients to obtain sensitive information such as authentication tokens and to possibly execute arbitrary commands. This vulnerability was fixed for all Teams users in the online service on or around October 2020.

Key dates

02Disclosure timeline

December 9, 2020 CVE published
September 16, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-47029 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2026-27970 Angular i18n vulnerable to Cross-Site Scripting (XSS) CVE-2026-9549 Fix XSS in service discovery active check output CVE-2025-13857 Yet Another WebClap for WordPress <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes CVE-2023-4482 Auto Amazon Links <= 5.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via style