WordPress BigBlueButton Plugin <= 3.0.0-beta.4 is vulnerable to Cross Site Scripting (XSS)
CVE-2023-39991

7.1HIGH

Key Information:

Vendor: WordPress
Status: Bigbluebutton
Vendor: CVE Published:; 4 September 2023

Summary

An unauthenticated reflected cross-site scripting (XSS) vulnerability has been identified in the Blindside Networks BigBlueButton plugin versions up to 3.0.0-beta.4. This vulnerability allows attackers to execute arbitrary JavaScript code in the context of the user's browser, potentially leading to unauthorized actions and data theft, as users access malicious links generated by the attacker. Proper validation of user inputs and outputs is crucial to mitigate risks associated with this vulnerability.

Affected Version(s)

BigBlueButton <= 3.0.0-beta.4

References

https://patchstack.com/database/vulnerability/bigbluebutt...

vdb-entry

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 4, 2023
Vulnerability Reserved
Aug 8, 2023

Credit

Ivy (Patchstack Alliance)