BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the "Share room access" dialog if the victim has shared access to the particular room with the attacker previously.
References
Configurations
History
21 Nov 2024, 06:54
Type | Values Removed | Values Added |
---|---|---|
References | () http://packetstormsecurity.com/files/172143/Shannon-Baseband-acfg-pcfg-SDP-Attribute-Memory-Corruption.html - | |
References | () https://github.com/bigbluebutton/greenlight/blob/master/app/assets/javascripts/room.js#L352 - Exploit, Third Party Advisory | |
References | () https://www.mgm-sp.com/en/cve-2022-26497-bigbluebutton-greenlight-xss/ - Patch, Third Party Advisory |
04 May 2023, 17:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
11 Jun 2022, 03:18
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:bigbluebutton:greenlight:2.11.1:*:*:*:*:*:*:* | |
CVSS |
v2 : v3 : |
v2 : 3.5
v3 : 5.4 |
CWE | CWE-79 | |
References | (MISC) https://github.com/bigbluebutton/greenlight/blob/master/app/assets/javascripts/room.js#L352 - Exploit, Third Party Advisory | |
References | (MISC) https://www.mgm-sp.com/en/cve-2022-26497-bigbluebutton-greenlight-xss/ - Patch, Third Party Advisory |
02 Jun 2022, 18:34
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-06-02 18:15
Updated : 2024-11-21 06:54
NVD link : CVE-2022-26497
Mitre link : CVE-2022-26497
CVE.ORG link : CVE-2022-26497
JSON object : View
Products Affected
bigbluebutton
- greenlight
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')