Unrated severityNVD Advisory· Published Oct 30, 2023· Updated Sep 5, 2024

BigBlueButton Stored Cross-site Scripting vulnerability at Guest Lobby

CVE-2023-43797

Description

BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was added for lobby messages starting in versions 2.6.11 and 2.7.0-beta.3. There are no known workarounds.

Affected products

Bigbluebutton/Bigbluebuttonv5
Range: < 2.6.11

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/bigbluebutton/bigbluebutton/commit/304bc851a00558f99a908880f4ac44234a074c9dmitrex_refsource_MISC
github.com/bigbluebutton/bigbluebutton/pull/18392mitrex_refsource_MISC
github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q866-h73xmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000