CVE-2020-12113 - OpenCVE

BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Bigbluebutton	Bigbluebutton

Configuration 1 [-]

cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/bigbluebutton/bigbluebutton/pull/9017	Patch Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.2.4	Third Party Advisory
https://www.sakshamanand.com/cve-2020-12113/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2020-04-23T17:53:47

Updated: 2020-09-30T15:30:01

Reserved: 2020-04-23T00:00:00

Link: CVE-2020-12113

JSON object: View

NVD Information

Status : Modified

Published: 2020-04-23T18:15:11.777

Modified: 2020-09-30T18:15:18.600

Link: CVE-2020-12113

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B080A47-5699-4BFF-B28A-9C83C380C244", "versionEndExcluding": "2.2.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used."}, {"lang": "es", "value": "BigBlueButton versiones anteriores a 2.2.4, permite un ataque de tipo XSS por medio de subt\u00edtulos porque es usada la funci\u00f3n dangerouslySetInnerHTML en React."}], "id": "CVE-2020-12113", "lastModified": "2020-09-30T18:15:18.600", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-23T18:15:11.777", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/pull/9017"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.2.4"}, {"source": "cve@mitre.org", "url": "https://www.sakshamanand.com/cve-2020-12113/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}