Microsoft Security Response Center

**Is the Preview Pane an attack vector for this vulnerability?** No, the Preview Pane is not an attack vector.

**According to the CVSS, User Interaction is Required. What interaction would the user have to do?** Exploitation of the vulnerability requires that a target be lured to and make use of a specially crafted functionality on a SharePoint page created by the attacker. An attacker would have no way to force users to visit the website. Instead, an attacker would have to convince users to click a link, typically by way of an enticement in an email or instant message, and then convince them to use the intended functionality.

**Why is Attack Complexity marked as High for this vulnerability?** Successful exploitation of this vulnerability requires an attacker to take additional actions prior to exploitation to prepare the target environment.

**According to the CVSS score, the attack vector is Local. Why does the CVE title indicate that this is a Remote Code Execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

**How do I get the update for Microsoft Teams for iOS?** 1. Tap the **Settings** icon 2. Tap the\*\* iTunes & App Store\*\* 3. Turn on AUTOMATIC DOWNLOADS for Apps **Alternatively** 1. Tap the\*\* App Store\*\* icon 2. Scroll down to find Microsoft Teams 3. Tap the **Update** button

**According to the CVSS score, the attack vector is Local. Why does the CVE title indicate that this is a Remote Code Execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

**According to the CVSS score, the attack vector is Local. Why does the CVE title indicate that this is a Remote Code Execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

**According to the CVSS score, the attack vector is Local. Why does the CVE title indicate that this is a Remote Code Execution?** The word **Remote** in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. For example, when the score indicates that the **Attack Vector** is **Local** and **User Interaction** is **Required**, this could describe an exploit in which an attacker, through social engineering, convinces a victim to download and open a specially crafted file from a website which leads to a local attack on their computer.

**Is the Preview Pane an attack vector for this vulnerability?** No, the Preview Pane is not an attack vector.

**What privileges are required to exploit this vulnerability?** The attacker must be authenticated and possess the permissions for page creation to be able to exploit this vulnerability.