CVE-2023-43797

BigBlueButton Stored Cross-site Scripting vulnerability at Guest Lobby

CVSS 6.3 MEDIUMEPSS 0.4%CWE-79

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 6.3EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

30 out 2023Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was added for lobby messages starting in versions 2.6.11 and 2.7.0-beta.3. There are no known workarounds.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Produtos afetados

bigbluebutton · bigbluebutton

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/bigbluebutton/bigbluebutton/commit/304bc851a00558f99a908880f4ac44234a074c9d https://github.com/bigbluebutton/bigbluebutton/pull/18392 https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q866-h73x