Skip to content

XSS in username that will trigger by sending chat

High
antobinary published GHSA-hwv2-5pf5-hr87 Jun 22, 2022

Package

No package listed

Affected versions

2.3, <2.4.8, <2.5.0

Patched versions

2.4.8, 2.5.0

Description

Impact

Users in meeting with private chat enabled.

Description

Pentests.nl has discovered a vulnerability in BigBlueButton which could be exploited to perform stored Cross-Site Scripting (XSS) attacks by sending private messages to users.

Patches

Patched on BigBlueButton 2.4.8 and higher.
Patched on BigBlueButton 2.5.0 and higher.

Workarounds

No workarounds.

References

Security advisory https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/
Patched on BigBlueButton 2.5 #15067
Patched on BigBlueButton 2.4 #15090

For more information

If you have any questions or comments about this advisory:

Email us at security at bigbluebutton.org

Credits

We thank Rick Verdoes and Danny de Weille from Hackify - https://pentests.nl/, who examined the BigBlueButton code base and responsibly disclosed this vulnerability.

Severity

High
7.2
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CVE ID

CVE-2022-31064

Weaknesses

No CWEs