Impact
The attacker can embed malicious JS in their username and have it executed on the victim's client
Description
When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session.
Patches
Patched on BigBlueButton 2.4.8 and higher.
Patched on BigBlueButton 2.5.0 and higher.
Workarounds
No workarounds.
References
Patched on BigBlueButton 2.5 #15087
Patched on BigBlueButton 2.4 #15090
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank mgm security partners GmbH, who examined the BigBlueButton code base and responsibly disclosed this vulnerability.
Impact
The attacker can embed malicious JS in their username and have it executed on the victim's client
Description
When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session.
Patches
Patched on BigBlueButton 2.4.8 and higher.
Patched on BigBlueButton 2.5.0 and higher.
Workarounds
No workarounds.
References
Patched on BigBlueButton 2.5 #15087
Patched on BigBlueButton 2.4 #15090
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank mgm security partners GmbH, who examined the BigBlueButton code base and responsibly disclosed this vulnerability.