Vulnerability Description
BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was added for lobby messages starting in versions 2.6.11 and 2.7.0-beta.3. There are no known workarounds.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bigbluebutton | Bigbluebutton | < 2.6.11 |
Related Weaknesses (CWE)
References
- https://github.com/bigbluebutton/bigbluebutton/commit/304bc851a00558f99a908880f4PatchThird Party Advisory
- https://github.com/bigbluebutton/bigbluebutton/pull/18392Third Party Advisory
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q86Third Party Advisory
- https://github.com/bigbluebutton/bigbluebutton/commit/304bc851a00558f99a908880f4PatchThird Party Advisory
- https://github.com/bigbluebutton/bigbluebutton/pull/18392Third Party Advisory
- https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q86Third Party Advisory
FAQ
What is CVE-2023-43797?
CVE-2023-43797 is a vulnerability with a CVSS score of 6.3 (MEDIUM). BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting u...
How severe is CVE-2023-43797?
CVE-2023-43797 has been rated MEDIUM with a CVSS base score of 6.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-43797?
Check the references section above for vendor advisories and patch information. Affected products include: Bigbluebutton Bigbluebutton.