Lucene search

GitHub_MCVELIST:CVE-2022-31065

HistoryJun 27, 2022 - 7:45 p.m.

CVE-2022-31065 Cross site scripting vulnerability for private chat in bigbluebutton

2022-06-2719:45:21

CWE-79

GitHub_M

www.cve.org

bigbluebutton

xss

vulnerability

private chat

version 2.4.8

version 2.5.0

patch

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

EPSS

0.001

Percentile

30.8%

JSON

BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim’s client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.

CNA Affected

[
  {
    "product": "bigbluebutton",
    "vendor": "bigbluebutton",
    "versions": [
      {
        "status": "affected",
        "version": "< 2.4.8"
      }
    ]
  }
]

References

github.com/bigbluebutton/bigbluebutton/pull/15087

github.com/bigbluebutton/bigbluebutton/pull/15090

github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8m2p-7qv3-qff7