CVE-2022-31064 — MEDIUM (6.5)

Q: How severe is CVE-2022-31064?

CVE-2022-31064 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-31064?

Check the references section above for vendor advisories and patch information. Affected products include: Bigbluebutton Bigbluebutton.

Vulnerability Description

BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Bigbluebutton	Bigbluebutton	>= 2.4, < 2.4.8

Related Weaknesses (CWE)

CWE-79

References

http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-SExploitThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2022/Jun/52ExploitMailing ListThird Party Advisory
https://github.com/bigbluebutton/bigbluebutton/pull/15067PatchRelease NotesThird Party Advisory
https://github.com/bigbluebutton/bigbluebutton/pull/15090PatchThird Party Advisory
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pfPatchThird Party Advisory
https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/ExploitThird Party Advisory
http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-SExploitThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2022/Jun/52ExploitMailing ListThird Party Advisory
https://github.com/bigbluebutton/bigbluebutton/pull/15067PatchRelease NotesThird Party Advisory
https://github.com/bigbluebutton/bigbluebutton/pull/15090PatchThird Party Advisory
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pfPatchThird Party Advisory
https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/ExploitThird Party Advisory

FAQ

What is CVE-2022-31064?

CVE-2022-31064 is a vulnerability with a CVSS score of 6.5 (MEDIUM). BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the at...

How severe is CVE-2022-31064?

CVE-2022-31064 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-31064?

Check the references section above for vendor advisories and patch information. Affected products include: Bigbluebutton Bigbluebutton.