CVE-2023-43797 MEDIUM

CVE-2023-43797: BigBlueButton Stored Cross-site Scripting vulnerability at Guest Lobby

Vendor Bigbluebutton
Product bigbluebutton
Weakness CWE-79 · XSS
Published October 30, 2023
Last update September 5, 2024
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was added for lobby messages starting in versions 2.6.11 and 2.7.0-beta.3. There are no known workarounds.

Key dates

02Disclosure timeline

October 30, 2023 CVE published
September 5, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-13977 Essential Addons for Elementor – Popular Elementor Templates & Widgets <= 6.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-49357 WordPress Audiomack plugin <= 1.4.8 - Cross Site Scripting (XSS) vulnerability CVE-2024-12516 Coupon Plugin <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2024-7737 Stored Cross-site Scripting (XSS) vulnerability affecting 3DSwym in 3DSwymer from Release 3DEXPERIENCE R2022x through Release 3DEXPERIENCE R2024x CVE-2025-52741 WordPress Post Connector Plugin <= 1.0.11 - Cross Site Scripting (XSS) Vulnerability