Описание
M365 Copilot Information Disclosure Vulnerability
AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
FAQ
According to the CVSS metric, the attack vector is network (AV:N) and user interaction is required (UI:R). Why does the CVE title indicate that this is information disclosure?
An attacker who successfully exploited this vulnerability could use malicious email to cause Copilot to present authoritative‑looking phishing messages that prompt the user to click links leading to data exfiltration or navigation to a malicious site.
According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), and some loss of integrity (I:L), but no loss of availability (A:N). What does that mean for this vulnerability?
An attacker who successfully exploited this vulnerability could potentially view sensitive information (confidentiality) or make limited changes to disclosed information (integrity); however, it is unlikely that both would be impacted simultaneously, and the attacker would not be able to affect availability.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft Outlook for Android | ||
| Microsoft Outlook for iOS | ||
| Microsoft Word for Android | ||
| Microsoft Edge for Android | - | |
| Microsoft Teams for iOS | ||
| Microsoft Edge for iOS | - | |
| Microsoft Teams for Android | ||
| Microsoft Excel for Android | ||
| Microsoft PowerPoint for Android | ||
| Microsoft OneNote for Android |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
EPSS
7.1 High
CVSS3
Связанные уязвимости
AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
EPSS
7.1 High
CVSS3