Skip to content

XSS vulnerability for private chat

High
antobinary published GHSA-8m2p-7qv3-qff7 Jun 22, 2022

Package

No package listed

Affected versions

2.3, < 2.4.8, <2.5.0

Patched versions

2.4.8, 2.5.0

Description

Impact

The attacker can embed malicious JS in their username and have it executed on the victim's client

Description

When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session.

Patches

Patched on BigBlueButton 2.4.8 and higher.
Patched on BigBlueButton 2.5.0 and higher.

Workarounds

No workarounds.

References

Patched on BigBlueButton 2.5 #15087
Patched on BigBlueButton 2.4 #15090

For more information

If you have any questions or comments about this advisory:

Email us at security at bigbluebutton.org

Credits

We thank mgm security partners GmbH, who examined the BigBlueButton code base and responsibly disclosed this vulnerability.

Severity

High

CVE ID

CVE-2022-31065

Weaknesses

No CWEs