CVE-2022-31064

Exploit

EPSS 1.18%
Veröffentlicht 27.06.2022 20:15:08
Zuletzt bearbeitet 21.11.2024 07:03:49
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Cross site scripting in username that will trigger by sending chat

XSS in username that will trigger by sending chat

BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.

Mögliche Gegenmaßnahme

Server: No workarounds.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 10

NVD 15 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

BigBlueButton ≫ BigBlueButton Version >= 2.4 < 2.4.8

BigBlueButton ≫ BigBlueButton Version2.3.0

BigBlueButton ≫ BigBlueButton Version2.4.9

BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha1

BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha2

BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha3

BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha4

BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha5

BigBlueButton ≫ BigBlueButton Version2.5 Updatealpha6

BigBlueButton ≫ BigBlueButton Version2.5 Updatebeta1

BigBlueButton ≫ BigBlueButton Version2.5 Updatebeta2

BigBlueButton ≫ BigBlueButton Version2.5 Updaterc.1

BigBlueButton ≫ BigBlueButton Version2.5 Updaterc.2

BigBlueButton ≫ BigBlueButton Version2.5 Updaterc.3

BigBlueButton ≫ BigBlueButton Version2.5 Updaterc.4

Weitere Schwachstelleninformationen

SystemBigBlueButton

≫

Produkt Server

Version >= 0.0.0, < 2.4.8

Version >= 2.5.0, < 2.5.0

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.18%	0.636

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	2.1	3.9	2.9	AV:N/AC:H/Au:S/C:N/I:P/A:N
security-advisories@github.com	6.5	2.3	3.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-Scripting.html

Third Party Advisory

Exploit

VDB Entry

http://seclists.org/fulldisclosure/2022/Jun/52

Third Party Advisory

Exploit

Mailing List

https://github.com/bigbluebutton/bigbluebutton/pull/15067

Patch

Third Party Advisory

Release Notes

https://github.com/bigbluebutton/bigbluebutton/pull/15090

Patch

Third Party Advisory

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pf5-hr87

Patch

Third Party Advisory

https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/

Third Party Advisory

Exploit

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pf5-hr87

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-31064

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-31064

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-31064

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-31064