BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.
References
Link | Resource |
---|---|
https://github.com/bigbluebutton/bigbluebutton/pull/15087 | Patch Third Party Advisory |
https://github.com/bigbluebutton/bigbluebutton/pull/15090 | Patch Third Party Advisory |
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8m2p-7qv3-qff7 | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2022-06-27T19:45:21
Updated: 2022-06-27T19:45:21
Reserved: 2022-05-18T00:00:00
Link: CVE-2022-31065
JSON object: View
NVD Information
Status : Analyzed
Published: 2022-06-27T20:15:08.650
Modified: 2022-07-07T19:17:23.933
Link: CVE-2022-31065
JSON object: View
Redhat Information
No data.
CWE