BigBlueButton vulnerable to Stored XSS via name of user at Shared Notes

BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.13, the "Shared Notes" feature contains a Stored Cross-Site Scripting (XSS) vulnerability with the input location being the "Username" field and the output location on the "Shared Notes" page, when a user with a malicious username is editing content. This vulnerability allows a low-privileged user to execute arbitrary JavaScript in the context of higher-privileged users (e.g., Admins) who open the Shared Notes page. Version 3.0.13 fixes the issue.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

BigBlueButton 跨站脚本漏洞

BigBlueButton是BigBlueButton社区的一套开源的Web会议系统。 BigBlueButton 3.0.13之前版本存在跨站脚本漏洞，该漏洞源于共享笔记功能中用户名字段输入清理不当，可能导致存储型跨站脚本攻击。

N/A

N/A