Cross site scripting in username that will trigger by sending chat
CVE-2022-31064

6.5MEDIUM

Key Information:

Vendor

Bigbluebutton

Status
Bigbluebutton
Vendor
CVE Published:
27 June 2022

What is CVE-2022-31064?

BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

bigbluebutton < 2.4.8

References

https://github.com/bigbluebutton/bigbluebutton/pull/15090
x_refsource_MISC
https://github.com/bigbluebutton/bigbluebutton/security/a...
x_refsource_CONFIRM
https://github.com/bigbluebutton/bigbluebutton/pull/15067
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.