Description
AI command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
E
Unchanged
RL
O
RC
Changed
Affected products
- Microsoft / Microsoft 365 Copilot for Android1.0 – 16.0.19815.10000
- Microsoft / Microsoft 365 Copilot for iOS1.0 – 2.107.2
- Microsoft / Microsoft Edge for Android1.0.0 – 145.3800.99
- Microsoft / Microsoft Edge for iOS1.0.0.0 – 145.3800.99
- Microsoft / Microsoft Excel for Android16.0.0.0 – 16.0.19822.20038
- Microsoft / Microsoft Excel for iOS1.0 – 2.106.26020617
- Microsoft / Microsoft Loop for iOS2.0.0 – 2.106.26020617
- Microsoft / Microsoft OneNote1.0.0 – 2.106.26020617
- Microsoft / Microsoft OneNote for Android16.0.1 – 16.0.19725.20142
- Microsoft / Microsoft Outlook for Android1.0 – 5.2605
- Microsoft / Microsoft Outlook for iOS1.0.0 – 5.2605
- Microsoft / Microsoft Outlook for Mac1.0.0 – 5.2605
- Microsoft / Microsoft PowerBI for Android2.0.0 – 2.2.260210.21290750
- Microsoft / Microsoft PowerBI for iOS1.0.0 – 1.2.260302.2193910
- Microsoft / Microsoft PowerPoint for Android16.0.0.0 – 16.0.19822.20038
- Microsoft / Microsoft PowerPoint for iOS1.0 – 2.106.26020617
- Microsoft / Microsoft Teams for Android1.0.0 – 1.0.0.2026043102
- Microsoft / Microsoft Teams for iOS2.0.0 – 8.3.1
- Microsoft / Microsoft Word for Android16.0.0.0 – 16.0.19822.20038
- Microsoft / Microsoft Word for iOS2.0.0 – 2.106.26020617