Description
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone replaying the recording. This issue has been fixed 3.0.19.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None
Affected products
- bigbluebutton / bbb-playback< 5.4.3 – < 5.4.3
- bigbluebutton / bigbluebutton< 3.0.19 – < 3.0.19
- blindsidenetworks / scalite< 1.7.0 – < 1.7.0
References
- VENDOR_ADVISORYhttps://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8vv7-vj94-q2pv
- PATCHhttps://github.com/bigbluebutton/bbb-playback/commit/09e89bfe4ff8488b68c3ff040d3081e419dc89b1
- PATCHhttps://github.com/bigbluebutton/bigbluebutton/commit/69f45aa1b963dc7d80179d0155acc670aec5c4fc
- PATCHhttps://github.com/bigbluebutton/bigbluebutton/releases/tag/v3.0.19
- PATCHhttps://github.com/blindsidenetworks/scalelite/releases/tag/v1.7.0