CVE-2022-27238
BigBlueButton up to version 2.4.7 is vulnerable to stored XSS in the private chat feature. An attacker can inject a JavaScript payload in their username, which is executed in the victim’s browser on private messages or when leaving the room notifications are shown. The core issue is insufficient ...