Microsoft Visual Studio Spoofing Vulnerability
Released: Mar 10, 2020
- Assigning CNA
- Microsoft
- CVE.org link
- CVE-2020-0884
Executive Summary
A spoofing vulnerability exists in Microsoft Visual Studio as it includes a reply URL that is not secured by SSL. An attacker who successfully exploited this vulnerability could compromise the access tokens, exposing security and privacy risks.
To exploit this vulnerability, an attacker would need to monitor the network traffic between a client machine and server while the end user is developing an Outlook Web Add-in, and the client also has two-factor authentication enabled in Outlook.
The update addresses the vulnerability by securing the reply URL with HTTPS.
Exploitability
The following table provides an exploitability assessment for this vulnerability at the time of original publication.
- Publicly disclosed
- No
- Exploited
- No
- Exploitability assessment
- Exploitation Less Likely
Acknowledgements
Security Updates
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle.
Disclaimer
Revisions
Information published.