{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-26497", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2023-05-04T00:00:00", "dateReserved": "2022-03-06T00:00:00", "datePublished": "2022-06-02T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-05-04T00:00:00"}, "descriptions": [{"lang": "en", "value": "BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the \"Share room access\" dialog if the victim has shared access to the particular room with the attacker previously."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/bigbluebutton/greenlight/blob/master/app/assets/javascripts/room.js#L352"}, {"url": "https://www.mgm-sp.com/en/cve-2022-26497-bigbluebutton-greenlight-xss/"}, {"url": "http://packetstormsecurity.com/files/172143/Shannon-Baseband-acfg-pcfg-SDP-Attribute-Memory-Corruption.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bigbluebutton:greenlight:2.11.1:*:*:*:*:*:*:*", "matchCriteriaId": "411A9E64-CB07-4FCD-B202-0D6F064A2252", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the \"Share room access\" dialog if the victim has shared access to the particular room with the attacker previously."}, {"lang": "es", "value": "BigBlueButton Greenlight versi\u00f3n 2.11.1, permite una vulnerabilidad de tipo XSS. Un actor de la amenaza podr\u00eda tener un nombre de usuario que contenga una carga \u00fatil de JavaScript. La carga \u00fatil es ejecutada en el navegador de la v\u00edctima en el cuadro de di\u00e1logo \"Share room access\" si la v\u00edctima ha compartido el acceso a la sala concreta con el atacante previamente"}], "id": "CVE-2022-26497", "lastModified": "2023-05-04T17:15:12.210", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-06-02T18:15:09.567", "references": [{"source": "cve@mitre.org", "url": "http://packetstormsecurity.com/files/172143/Shannon-Baseband-acfg-pcfg-SDP-Attribute-Memory-Corruption.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/bigbluebutton/greenlight/blob/master/app/assets/javascripts/room.js#L352"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.mgm-sp.com/en/cve-2022-26497-bigbluebutton-greenlight-xss/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}