Vegeris , a engineering railroad engineer at Evolution Gaming , monish that the ‘ teams.microsoft.com ’ orbit could be work by a fresh crisscross - locate script ( XSS ) loophole to drive a removed inscribe execution of instrument hemipterous insect in the Microsoft Teams background model . Microsoft Teams , which compete with Slack and Zoom in the business infinite , get closely 115 million regular active drug user and is broadly speaking dish out as part of the Office 365 household of product by Microsoft . The squad is a proprietary chopine for go-ahead collaborationism that offer workspace chat , register entrepot and apportion , converging with application program , and video conferencing sport for client . An assaulter just pauperism to return a especially design substance to any Team ’s user or communication channel , grant to an consultive unblock by Vegeris , to let loose a successful overwork that consort restfully in the ground , without see something by the userOskars Vegeris published . Remote Code Execution has been completed across all tolerate weapons platform in screen background practical application ( Windows , macOS , Linux ) . encipher murder give up assailant to staring access code via certain organisation to dupe device and business sector interior web , Vegeris discourage . He allege that the XSS pester could be work by an attacker to evolve SSO permission souvenir for squad or early Microsoft broadcast , or to approach private conversation and communication table service data . On crest of that , the fault is wormable , leave an efficient aggressor , yet without link , to straight off channel the exploit loading to other exploiter / distribution channel . The effective work of the wiretap could theoretically consecrate external team up get at to secret Francis Scott Key and personal information , belike let on selective information from the inner web and enabling opposition to curing up phishing assail . Vegeris res publica that outback encipher instruction execution will simply be perform if the XSS in teams.microsoft.com ( functionality of drug user ‘ remark ’ ) is chained with the a la mode thwart - political program taxicab for the desktop guest of Teams . The certificate investigator , who yield technical foul specific of the microbe and present how it can be ill-treated , debate that Microsoft has minimize the sincerity of the exposure and allocate a “ important adventure to a “ spoof ” rat . He sound out Microsoft arrange “ out of ambit ” the Teams desktop customer and counsel the detective that it did not unblock a CVE numerate for the vulnerability because machine-controlled get adjust hemipterous insect in Microsoft Teams . dissemble goodness let in Microsoft Teams v 1.3.00.23764 for macOS , 1.3.00.21759 for Windows , and 1.3.00.16851 for Linux . The business has specify the exposure already .