← back
CVE-2023-43797

BigBlueButton Stored Cross-site Scripting vulnerability at Guest Lobby

CVSS 6.3 MEDIUMEPSS 0.4%CWE-79
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.3EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
30 Oct 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was added for lobby messages starting in versions 2.6.11 and 2.7.0-beta.3. There are no known workarounds.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Affected products
bigbluebutton · bigbluebutton

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/bigbluebutton/bigbluebutton/commit/304bc851a00558f99a908880f4ac44234a074c9dhttps://github.com/bigbluebutton/bigbluebutton/pull/18392https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q866-h73x