CVE-2022-31064
BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.
| Software | From | Fixed in |
|---|---|---|
| bigbluebutton / bigbluebutton | 2.5-alpha1 | 2.5-alpha1.x |
| bigbluebutton / bigbluebutton | 2.5-beta2 | 2.5-beta2.x |
| bigbluebutton / bigbluebutton | 2.5-beta1 | 2.5-beta1.x |
| bigbluebutton / bigbluebutton | 2.5-alpha6 | 2.5-alpha6.x |
| bigbluebutton / bigbluebutton | 2.5-alpha5 | 2.5-alpha5.x |
| bigbluebutton / bigbluebutton | 2.5-alpha4 | 2.5-alpha4.x |
| bigbluebutton / bigbluebutton | 2.5-alpha3 | 2.5-alpha3.x |
| bigbluebutton / bigbluebutton | 2.5-alpha2 | 2.5-alpha2.x |
| bigbluebutton / bigbluebutton | 2.4 | 2.4.8 |
| bigbluebutton / bigbluebutton | 2.3.0 | 2.3.0.x |
| bigbluebutton / bigbluebutton | 2.5-rc.3 | 2.5-rc.3.x |
| bigbluebutton / bigbluebutton | 2.5-rc.4 | 2.5-rc.4.x |
| bigbluebutton / bigbluebutton | 2.5-rc.2 | 2.5-rc.2.x |
| bigbluebutton / bigbluebutton | 2.5-rc.1 | 2.5-rc.1.x |
| bigbluebutton / bigbluebutton | 2.4.9 | 2.4.9.x |
- http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-Scripting.html
- http://seclists.org/fulldisclosure/2022/Jun/52
- https://github.com/bigbluebutton/bigbluebutton/pull/15067
- https://github.com/bigbluebutton/bigbluebutton/pull/15090
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pf5-hr87
- https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime