CVE-2022-26497

BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the "Share room access" dialog if the victim has shared access to the particular room with the attacker previously.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.4 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
VendorProductVersion
bigbluebuttongreenlight
2.11.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
http://packetstormsecurity.com/files/172143/Shannon-Baseband-acfg-pcfg-SDP-Attribute-Memory-Corruption.html
https://github.com/bigbluebutton/greenlight/blob/master/app/assets/javascripts/room.js#L352
https://www.mgm-sp.com/en/cve-2022-26497-bigbluebutton-greenlight-xss/
http://packetstormsecurity.com/files/172143/Shannon-Baseband-acfg-pcfg-SDP-Attribute-Memory-Corruption.html
https://github.com/bigbluebutton/greenlight/blob/master/app/assets/javascripts/room.js#L352
https://www.mgm-sp.com/en/cve-2022-26497-bigbluebutton-greenlight-xss/