Lucene search

[email protected]NVD:CVE-2023-43797

HistoryOct 30, 2023 - 11:15 p.m.

CVE-2023-43797

2023-10-3023:15:08

CWE-79

[email protected]

web.nvd.nist.gov

bigbluebutton

virtual classroom

cross-site scripting

xss

vulnerability

versions 2.6.11

2.7.0-beta.3

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

21.3%

JSON

BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was added for lobby messages starting in versions 2.6.11 and 2.7.0-beta.3. There are no known workarounds.

Affected configurations

NVD

Node

bigbluebuttonbigbluebuttonRange<2.6.11

bigbluebuttonbigbluebuttonMatch2.7.0alpha1

bigbluebuttonbigbluebuttonMatch2.7.0alpha2

bigbluebuttonbigbluebuttonMatch2.7.0alpha3

bigbluebuttonbigbluebuttonMatch2.7.0beta1

bigbluebuttonbigbluebuttonMatch2.7.0beta2

References

github.com/bigbluebutton/bigbluebutton/commit/304bc851a00558f99a908880f4ac44234a074c9d

github.com/bigbluebutton/bigbluebutton/pull/18392

github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q866-h73x