CVE-2022-31064

 

Published at: - 27-06-2022 10:15

Last modified: - 07-07-2022 09:07

Total changes: - 4

Description

BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

 

Verification logic

 

Reference

• https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/
• https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pf5-hr87
• https://github.com/bigbluebutton/bigbluebutton/pull/15067
• https://github.com/bigbluebutton/bigbluebutton/pull/15090
• 20220630 BigBlueButton - Stored XSS in username (CVE-2022-31064)-Exploit, Mailing List, Third Party Advisory
• http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-Scripting.html

 

Keywords

NVD

 

CVE-2022-31064

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures