Headline
CVE-2022-31065
BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim’s client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.
Impact
The attacker can embed malicious JS in their username and have it executed on the victim’s client
Description
When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session.
Patches
Patched on BigBlueButton 2.4.8 and higher.
Patched on BigBlueButton 2.5.0 and higher.
Workarounds
No workarounds.
References
Patched on BigBlueButton 2.5 #15087
Patched on BigBlueButton 2.4 #15090
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank mgm security partners GmbH, who examined the BigBlueButton code base and responsibly disclosed this vulnerability.