CVE-2022-31065

BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.

Published: Jun 27, 2022
Updated: Nov 16, 2025
CVE: CVE-2022-31065
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
bigbluebutton / bigbluebutton	2.5-alpha1	2.5-alpha1.x
bigbluebutton / bigbluebutton	2.5-beta2	2.5-beta2.x
bigbluebutton / bigbluebutton	2.5-beta1	2.5-beta1.x
bigbluebutton / bigbluebutton	2.5-alpha6	2.5-alpha6.x
bigbluebutton / bigbluebutton	2.5-alpha5	2.5-alpha5.x
bigbluebutton / bigbluebutton	2.5-alpha4	2.5-alpha4.x
bigbluebutton / bigbluebutton	2.5-alpha3	2.5-alpha3.x
bigbluebutton / bigbluebutton	2.5-alpha2	2.5-alpha2.x
bigbluebutton / bigbluebutton	2.4	2.4.8
bigbluebutton / bigbluebutton	2.3.0	2.3.0.x
bigbluebutton / bigbluebutton	2.5-rc.3	2.5-rc.3.x
bigbluebutton / bigbluebutton	2.5-rc.4	2.5-rc.4.x
bigbluebutton / bigbluebutton	2.5-rc.2	2.5-rc.2.x
bigbluebutton / bigbluebutton	2.5-rc.1	2.5-rc.1.x
bigbluebutton / bigbluebutton	2.4.9	2.4.9.x

Vulnerability Database

319,592

CVE-2022-31065

Deep Security Visibility Without the Complexity