BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the "Share room access" dialog if the victim has shared access to the particular room with the attacker previously.
References
Link | Resource |
---|---|
http://packetstormsecurity.com/files/172143/Shannon-Baseband-acfg-pcfg-SDP-Attribute-Memory-Corruption.html | |
https://github.com/bigbluebutton/greenlight/blob/master/app/assets/javascripts/room.js#L352 | Exploit Third Party Advisory |
https://www.mgm-sp.com/en/cve-2022-26497-bigbluebutton-greenlight-xss/ | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2022-06-02T00:00:00
Updated: 2023-05-04T00:00:00
Reserved: 2022-03-06T00:00:00
Link: CVE-2022-26497
JSON object: View
NVD Information
Status : Modified
Published: 2022-06-02T18:15:09.567
Modified: 2023-05-04T17:15:12.210
Link: CVE-2022-26497
JSON object: View
Redhat Information
No data.
CWE