Headline
CVE-2022-26497: CVE-2022-26497: BigBlueButton Greenlight XSS
BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the “Share room access” dialog if the victim has shared access to the particular room with the attacker previously.
Description
BigBlueButton’s front-end interface Greenlight version 2.11.2 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the “Share Room Access” dialog. A threat actor could inject XSS payload in the username field. The payload gets executed in the “Share Room Access” dialog if the victim has shared access to the room with the attacker previously.
Affected Component
BigBlueButton/Greenlight
Attack Type
Remote
Attack Vectors
To exploit the vulnerability, an attacker needs an active user account in the Greenlight application. Additionally, the victim needs to have shared access to a room with the attacker.
Reference
https://github.com/bigbluebutton/greenlight/releases/tag/release-2.12.0.
Discoverer
mgm security partners found this vulnerability during a security analysis of the BigBlueButton software ordered by the Federal Office for Information Security in Germany (BSI).
Timeline
- 4 March 2022: the vulnerability was reported to the BigBlueButton developer team
- 15 April 2022: Greenlight version 2.12.0 containing the patch for the reported vulnerability was released