Vulnerability Description
BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the "Share room access" dialog if the victim has shared access to the particular room with the attacker previously.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bigbluebutton | Greenlight | 2.11.1 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/172143/Shannon-Baseband-acfg-pcfg-SDP-Attri
- https://github.com/bigbluebutton/greenlight/blob/master/app/assets/javascripts/rExploitThird Party Advisory
- https://www.mgm-sp.com/en/cve-2022-26497-bigbluebutton-greenlight-xss/PatchThird Party Advisory
- http://packetstormsecurity.com/files/172143/Shannon-Baseband-acfg-pcfg-SDP-Attri
- https://github.com/bigbluebutton/greenlight/blob/master/app/assets/javascripts/rExploitThird Party Advisory
- https://www.mgm-sp.com/en/cve-2022-26497-bigbluebutton-greenlight-xss/PatchThird Party Advisory
FAQ
What is CVE-2022-26497?
CVE-2022-26497 is a vulnerability with a CVSS score of 5.4 (MEDIUM). BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the "Share room access" dial...
How severe is CVE-2022-26497?
CVE-2022-26497 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-26497?
Check the references section above for vendor advisories and patch information. Affected products include: Bigbluebutton Greenlight.