A Security Engineer at Evolution Gaming has discovered a Cross-site Scripting (XSS) vulnerability on the teams.microsoft.com domain. This could be abused to trigger a Remote Code Execution (RCE) flaw in the Microsoft Teams Desktop Application.
According to the researcher, an attacker simply needs to send a specially crafted message to any Teams user or channel to launch a successful exploit, which runs clandestinely in the background without the users notice.
Windows (version 1.3.00.21759), macOS (version 1.3.00.23764) and Linux (1.3.00.16851) were affected.
Successful exploitation of this vulnerability allows an attacker to access confidential conversations and files in the Teams application. It could even result in access to private keys and personal data outside the application, making it significantly dangerous.
Furthermore, this vulnerability is wormable, meaning an attacker can automatically send the exploit payload to other users and channels without interaction.
This issue was mitigated against by Microsoft’s patch in October, an immediate update is recommended for those who haven’t done so already.
Source: Security Week
Introducing ISO 42001 – the world’s first international management system standard focused specifically on AI.…
Data breaches and cyberattacks have become daily concerns for information security professionals and business leaders.…
It is an undeniable fact that all applications and infrastructures are essentially in need of…
