← volver
CVE-2022-31065

Cross site scripting vulnerability for private chat in bigbluebutton

CVSS 6.5 MEDIUMEPSS 0.7%CWE-79
BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Productos afectados
bigbluebutton · bigbluebutton

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/bigbluebutton/bigbluebutton/pull/15087https://github.com/bigbluebutton/bigbluebutton/pull/15090https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8m2p-7qv3-qff7