CVE-2023-43797

BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was added for lobby messages starting in versions 2.6.11 and 2.7.0-beta.3. There are no known workarounds.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
GitHub_MCNA
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
VendorProductVersion
bigbluebuttonbigbluebutton
𝑥
< 2.6.11
bigbluebuttonbigbluebutton
2.7.0:alpha1
bigbluebuttonbigbluebutton
2.7.0:alpha2
bigbluebuttonbigbluebutton
2.7.0:alpha3
bigbluebuttonbigbluebutton
2.7.0:beta1
bigbluebuttonbigbluebutton
2.7.0:beta2
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/bigbluebutton/bigbluebutton/commit/304bc851a00558f99a908880f4ac44234a074c9d
https://github.com/bigbluebutton/bigbluebutton/pull/18392
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q866-h73x
https://github.com/bigbluebutton/bigbluebutton/commit/304bc851a00558f99a908880f4ac44234a074c9d
https://github.com/bigbluebutton/bigbluebutton/pull/18392
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q866-h73x