CVE-2022-31064

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-31064
BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

2.1 /10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:N/AC:H/Au:S/C:N/I:P/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector NETWORK

Access Complexity HIGH

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References
Link Resource
http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-Scripting.html Exploit Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2022/Jun/52 Exploit Mailing List Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/pull/15067 Patch Release Notes Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/pull/15090 Patch Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pf5-hr87 Patch Third Party Advisory
https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/ Exploit Third Party Advisory
http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-Scripting.html Exploit Third Party Advisory VDB Entry
http://seclists.org/fulldisclosure/2022/Jun/52 Exploit Mailing List Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/pull/15067 Patch Release Notes Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/pull/15090 Patch Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pf5-hr87 Patch Third Party Advisory
https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/ Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.0:*:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.4.9:*:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha1:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha2:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha3:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha4:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha5:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha6:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:beta1:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:beta2:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:rc.1:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:rc.2:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:rc.3:*:*:*:*:*:*
cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:rc.4:*:*:*:*:*:*
History

No history.

Information

Published : 2022-06-27 20:15

Updated : 2024-11-21 07:03

NVD link : CVE-2022-31064

Mitre link : CVE-2022-31064

CVE.ORG link : CVE-2022-31064

JSON object : View

Products Affected

bigbluebutton

  • bigbluebutton
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')