#Outlook for Android

Exposure of sensitive information to an unauthorized actor in Outlook for Android allows an unauthorized attacker to disclose information over a network.

**According to the CVSS metric, Integrity (I:L) is Low. What does that mean for this vulnerability?** An attacker's message can inherit the sender's email address from another message in the UI. The attacker cannot control which message it inherits from. This issue occurs exclusively for messages in the Junk folder, as it is the only folder where the app displays the sender's email address. The attacker cannot affect confidentiality or availability.

**According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?** This vulnerability requires that a user with an affected version of Outlook open a malicious meeting or appointment invite from the attacker.

**What type of information could be disclosed by this vulnerability?** The type of information that could be disclosed if an attacker successfully exploited this vulnerability is file content.