CVE-2023-43797

EPSS 0.42%
Veröffentlicht 30.10.2023 23:15:08
Zuletzt bearbeitet 21.11.2024 08:24:48
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

BigBlueButton Stored Cross-site Scripting vulnerability at Guest Lobby

Stored XSS at Guest Lobby

BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was added for lobby messages starting in versions 2.6.11 and 2.7.0-beta.3. There are no known workarounds.

Mögliche Gegenmaßnahme

Server: There are no workarounds. We recommend upgrading to a patched version of BigBlueButton.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 6 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

BigBlueButton ≫ BigBlueButton Version < 2.6.11

BigBlueButton ≫ BigBlueButton Version2.7.0 Updatealpha1

BigBlueButton ≫ BigBlueButton Version2.7.0 Updatealpha2

BigBlueButton ≫ BigBlueButton Version2.7.0 Updatealpha3

BigBlueButton ≫ BigBlueButton Version2.7.0 Updatebeta1

BigBlueButton ≫ BigBlueButton Version2.7.0 Updatebeta2

Weitere Schwachstelleninformationen

SystemBigBlueButton

≫

Produkt Server

Version >= 0.0.0, < 2.6.11

Version >= 2.7.0, < 2.7.0-beta.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.42%	0.333

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	6.3	2.8	3.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/bigbluebutton/bigbluebutton/commit/304bc851a00558f99a908880f4ac44234a074c9d

Patch

Third Party Advisory

https://github.com/bigbluebutton/bigbluebutton/pull/18392

Third Party Advisory

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q866-h73x

Third Party Advisory

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q866-h73x

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-43797

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-43797

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-43797

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2023-43797