Unrated severityNVD Advisory· Published Jun 27, 2022· Updated Apr 23, 2025

Cross site scripting vulnerability for private chat in bigbluebutton

CVE-2022-31065

Description

BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.

Affected products

Bigbluebutton/Bigbluebuttonv5
Range: < 2.4.8

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/bigbluebutton/bigbluebutton/pull/15087mitrex_refsource_MISC
github.com/bigbluebutton/bigbluebutton/pull/15090mitrex_refsource_MISC
github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8m2p-7qv3-qff7mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000