← volver
CVE-2023-43797

BigBlueButton Stored Cross-site Scripting vulnerability at Guest Lobby

CVSS 6.3 MEDIUMEPSS 0.4%CWE-79
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6.3EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
30 oct 2023Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was added for lobby messages starting in versions 2.6.11 and 2.7.0-beta.3. There are no known workarounds.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Productos afectados
bigbluebutton · bigbluebutton

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/bigbluebutton/bigbluebutton/commit/304bc851a00558f99a908880f4ac44234a074c9dhttps://github.com/bigbluebutton/bigbluebutton/pull/18392https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q866-h73x