CVE-2022-27238: XSS
First published: Fri Jun 24 2022(Updated: )
BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bigbluebutton Bigbluebutton | <=2.4.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2022-27238?
The severity of CVE-2022-27238 is medium with a CVSS score of 5.4.
What is the vulnerability in BigBlueButton version 2.4.7?
BigBlueButton version 2.4.7 is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality.
How can an attacker exploit CVE-2022-27238?
An attacker can exploit CVE-2022-27238 by injecting JavaScript payload in their username and sending a private message to the victim, executing the payload in the victim's browser.
Is BigBlueButton version 2.4.7 the only affected version?
Yes, BigBlueButton version 2.4.7 (or earlier) is the only affected version.
What is the recommended action to fix CVE-2022-27238?
To fix CVE-2022-27238, it is recommended to update BigBlueButton to a version later than 2.4.7 that includes the security patch.
- collector/nvd-index
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/description
- agent/type
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/bigbluebutton
- canonical/bigbluebutton bigbluebutton
- version/bigbluebutton bigbluebutton/2.4.7