CVE-2023-43797

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2023-43797

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-43797.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-43797

Aliases

GHSA-v6wg-q866-h73x

Published

2023-10-30T22:18:11.821Z

Modified

2026-04-10T05:02:51.459362Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

BigBlueButton Stored Cross-site Scripting vulnerability at Guest Lobby

Details

BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was added for lobby messages starting in versions 2.6.11 and 2.7.0-beta.3. There are no known workarounds.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/43xxx/CVE-2023-43797.json",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Git / github.com/bigbluebutton/bigbluebutton

Affected ranges

Type

GIT

Repo

https://github.com/bigbluebutton/bigbluebutton

Events

Introduced

Fixed

304bc851a00558f99a908880f4ac44234a074c9d

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.6.11"
        }
    ]
}

Type

GIT

Repo

https://github.com/bigbluebutton/bigbluebutton

Events

Introduced

574064533baf0190d6068234daf46a756e0a5528

Fixed

cb6e041510ae57d8e1bef07148c35dc6324f7249

Database specific

{
    "versions": [
        {
            "introduced": "2.7.0-alpha.1"
        },
        {
            "fixed": "2.7.0-beta.3"
        }
    ]
}

Affected versions

2.*

2.2-beta-10

2.2-beta-11

2.2-beta-12

2.2-beta-14

2.2-beta-15

2.2-beta-16

2.2-beta-17

2.2-beta-18

2.2-beta-19

2.2-beta-2

2.2-beta-20

2.2-beta-21

2.2-beta-22

2.2-beta-23

2.2-beta-3

2.2-beta-4

2.2-beta-5

2.2-beta-6

2.2-beta-7

2.2-beta-8

2.2-beta-9

2.2-rc-1

2.2-rc-2

2.2-rc-3

Other

dcs-2-a

v0.*

v0.8

v0.8b4

v0.8b4.0

v0.8rc2

v0.9.0-beta

v2.*

v2.3-alpha-1

v2.3-alpha-2

v2.3-alpha-3

v2.3-alpha-4

v2.3-alpha-5

v2.3-alpha-6

v2.3-alpha-7

v2.3-alpha-8

v2.3-beta-1

v2.3-beta-2

v2.3-beta-3

v2.3-beta-4

v2.3-beta-5

v2.3-rc-1

v2.3-rc-2

v2.3.0

v2.3.1

v2.4-alpha-1

v2.4-beta-1

v2.4-beta-2

v2.4-beta-3

v2.4-beta-4

v2.6.0

v2.6.0-alpha.1

v2.6.0-alpha.2

v2.6.0-alpha.3

v2.6.0-alpha.4

v2.6.0-beta.1

v2.6.0-beta.2

v2.6.0-beta.3

v2.6.0-beta.4

v2.6.0-beta.5

v2.6.0-beta.6

v2.6.0-beta.7

v2.6.0-rc.1

v2.6.0-rc.2

v2.6.0-rc.3

v2.6.0-rc.4

v2.6.0-rc.5

v2.6.0-rc.6

v2.6.0-rc.7

v2.6.0-rc.9

v2.6.1

v2.6.10

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.6.7

v2.6.8

v2.6.9

v2.7.0-alpha.1

v2.7.0-alpha.2

v2.7.0-alpha.3

v2.7.0-beta.1

v2.7.0-beta.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-43797.json"