A Security Engineer at Evolution Gaming has discovered a Cross-site Scripting (XSS) vulnerability on the teams.microsoft.com domain. This could be abused to trigger a Remote Code Execution (RCE) flaw in the Microsoft Teams Desktop Application.
According to the researcher, an attacker simply needs to send a specially crafted message to any Teams user or channel to launch a successful exploit, which runs clandestinely in the background without the users notice.
Windows (version 1.3.00.21759), macOS (version 1.3.00.23764) and Linux (1.3.00.16851) were affected.
Successful exploitation of this vulnerability allows an attacker to access confidential conversations and files in the Teams application. It could even result in access to private keys and personal data outside the application, making it significantly dangerous.
Furthermore, this vulnerability is wormable, meaning an attacker can automatically send the exploit payload to other users and channels without interaction.
This issue was mitigated against by Microsoft’s patch in October, an immediate update is recommended for those who haven’t done so already.
Source: Security Week