CVE-2022-27238

Name of the Vulnerable Software and Affected Versions BigBlueButton versions 2.4.7 and earlier

Description The issue concerns stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject a JavaScript payload in their username. The payload gets executed in the victim's browser each time the attacker sends a private message to the victim or when a notification about the attacker leaving the room is displayed.

Recommendations For BigBlueButton versions 2.4.7 and earlier, consider disabling the private chat functionality until a patch is available to prevent exploitation of the stored XSS vulnerability. Restrict access to the private chat feature to minimize the risk of JavaScript payload injection. Avoid using potentially malicious usernames in the private chat until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.