BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-Scripting.html | Exploit Third Party Advisory VDB Entry |
http://seclists.org/fulldisclosure/2022/Jun/52 | Exploit Mailing List Third Party Advisory |
https://github.com/bigbluebutton/bigbluebutton/pull/15067 | Patch Release Notes Third Party Advisory |
https://github.com/bigbluebutton/bigbluebutton/pull/15090 | Patch Third Party Advisory |
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pf5-hr87 | Patch Third Party Advisory |
https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/ | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
07 Jul 2022, 19:07
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 2.1
v3 : 5.4 |
First Time |
Bigbluebutton bigbluebutton
Bigbluebutton |
|
References | (MISC) https://github.com/bigbluebutton/bigbluebutton/pull/15090 - Patch, Third Party Advisory | |
References | (MISC) https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/ - Exploit, Third Party Advisory | |
References | (FULLDISC) http://seclists.org/fulldisclosure/2022/Jun/52 - Exploit, Mailing List, Third Party Advisory | |
References | (MISC) http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-Scripting.html - Exploit, Third Party Advisory, VDB Entry | |
References | (MISC) https://github.com/bigbluebutton/bigbluebutton/pull/15067 - Patch, Release Notes, Third Party Advisory | |
References | (CONFIRM) https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pf5-hr87 - Patch, Third Party Advisory | |
CPE | cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.0:*:*:*:*:*:*:* cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha6:*:*:*:*:*:* cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:* cpe:2.3:a:bigbluebutton:bigbluebutton:2.4.9:*:*:*:*:*:*:* cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:beta1:*:*:*:*:*:* cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha4:*:*:*:*:*:* cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:rc.3:*:*:*:*:*:* cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:beta2:*:*:*:*:*:* cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha5:*:*:*:*:*:* cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha3:*:*:*:*:*:* cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:rc.1:*:*:*:*:*:* cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha2:*:*:*:*:*:* cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:rc.2:*:*:*:*:*:* cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha1:*:*:*:*:*:* cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:rc.4:*:*:*:*:*:* |
01 Jul 2022, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Jul 2022, 08:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
27 Jun 2022, 20:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-06-27 20:15
Updated : 2023-12-10 14:22
NVD link : CVE-2022-31064
Mitre link : CVE-2022-31064
CVE.ORG link : CVE-2022-31064
JSON object : View
Products Affected
bigbluebutton
- bigbluebutton
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')