CVE-2022-26497

Опубликовано: 02 июн. 2022

Источник: nvd

CVSS3: 5.4

CVSS2: 3.5

EPSS Низкий

Описание

BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the "Share room access" dialog if the victim has shared access to the particular room with the attacker previously.

Ссылки

http://packetstormsecurity.com/files/172143/Shannon-Baseband-acfg-pcfg-SDP-Attribute-Memory-Corruption.html
https://github.com/bigbluebutton/greenlight/blob/master/app/assets/javascripts/room.js#L352
Exploit
Third Party Advisory
https://www.mgm-sp.com/en/cve-2022-26497-bigbluebutton-greenlight-xss/
Patch
Third Party Advisory
http://packetstormsecurity.com/files/172143/Shannon-Baseband-acfg-pcfg-SDP-Attribute-Memory-Corruption.html
https://github.com/bigbluebutton/greenlight/blob/master/app/assets/javascripts/room.js#L352
Exploit
Third Party Advisory
https://www.mgm-sp.com/en/cve-2022-26497-bigbluebutton-greenlight-xss/
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:bigbluebutton:greenlight:2.11.1:*:*:*:*:*:*:*

EPSS

Процентиль: 49%

0.00258

Низкий

5.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-79

Связанные уязвимости

GHSA-w3cv-3c36-h8j2