BigBlueButton is an open source Web conferencing system from the BigBlueButton community. BigBlueButton v2.4.7 and prior versions contain a cross-site scripting vulnerability that stems from a lack of data validation filtering of user-supplied data and output in the chat feature. An attacker could exploit the vulnerability to inject a JavaScript payload into the user name, with the payload executing in the victim’s browser each time the attacker sends a private message to the victim or displays a notification about the attacker leaving the room.
CPE | Name | Operator | Version |
---|---|---|---|
bigbluebutton bigbluebutton <=v | eq | 2.4.7 |