CVE-2022-31064

Published: Jun 27, 2022Modified: Nov 21, 2024

5.4

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.3 / Impact: 2.7

Source: NVD

Description

BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.

Affected (15)

Products: Bigbluebutton: Bigbluebutton

1 product

Configuration A

15 vulnerable

Vulnerable Software	Affected Versions
Bigbluebutton Bigbluebutton	From 2.4 to 2.4.8
Bigbluebutton Bigbluebutton	Version 2.3.0
Bigbluebutton Bigbluebutton	Version 2.4.9
Bigbluebutton Bigbluebutton	Version 2.5 alpha1
Bigbluebutton Bigbluebutton	Version 2.5 alpha2
Bigbluebutton Bigbluebutton	Version 2.5 alpha3
Bigbluebutton Bigbluebutton	Version 2.5 alpha4
Bigbluebutton Bigbluebutton	Version 2.5 alpha5
Bigbluebutton Bigbluebutton	Version 2.5 alpha6
Bigbluebutton Bigbluebutton	Version 2.5 beta1
Bigbluebutton Bigbluebutton	Version 2.5 beta2
Bigbluebutton Bigbluebutton	Version 2.5 rc.1
Bigbluebutton Bigbluebutton	Version 2.5 rc.2
Bigbluebutton Bigbluebutton	Version 2.5 rc.3
Bigbluebutton Bigbluebutton	Version 2.5 rc.4

Related CWEs

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (12)

http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-Scripting.html

Source: security-advisories@github.com

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2022/Jun/52

Source: security-advisories@github.com

ExploitMailing ListThird Party Advisory

https://github.com/bigbluebutton/bigbluebutton/pull/15067

Source: security-advisories@github.com

PatchRelease NotesThird Party Advisory

https://github.com/bigbluebutton/bigbluebutton/pull/15090

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pf5-hr87

Source: security-advisories@github.com

PatchThird Party Advisory

https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/

Source: security-advisories@github.com

ExploitThird Party Advisory

http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-Scripting.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party AdvisoryVDB Entry

http://seclists.org/fulldisclosure/2022/Jun/52

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMailing ListThird Party Advisory

https://github.com/bigbluebutton/bigbluebutton/pull/15067

Source: af854a3a-2127-422b-91ae-364da2661108

PatchRelease NotesThird Party Advisory

https://github.com/bigbluebutton/bigbluebutton/pull/15090

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pf5-hr87

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.