CVE-2022-31065

BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
GitHub_MCNA
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 20%
VendorProductVersion
bigbluebuttonbigbluebutton
2.4 ≤
𝑥
< 2.4.8
bigbluebuttonbigbluebutton
2.3.0
bigbluebuttonbigbluebutton
2.4.9
bigbluebuttonbigbluebutton
2.5:alpha1
bigbluebuttonbigbluebutton
2.5:alpha2
bigbluebuttonbigbluebutton
2.5:alpha3
bigbluebuttonbigbluebutton
2.5:alpha4
bigbluebuttonbigbluebutton
2.5:alpha5
bigbluebuttonbigbluebutton
2.5:alpha6
bigbluebuttonbigbluebutton
2.5:beta1
bigbluebuttonbigbluebutton
2.5:beta2
bigbluebuttonbigbluebutton
2.5:rc.1
bigbluebuttonbigbluebutton
2.5:rc.2
bigbluebuttonbigbluebutton
2.5:rc.3
bigbluebuttonbigbluebutton
2.5:rc.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/bigbluebutton/bigbluebutton/pull/15087
https://github.com/bigbluebutton/bigbluebutton/pull/15090
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8m2p-7qv3-qff7
https://github.com/bigbluebutton/bigbluebutton/pull/15087
https://github.com/bigbluebutton/bigbluebutton/pull/15090
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8m2p-7qv3-qff7