oss-sec mailing list archives
XSS in BigBlueButton < 2.2.6
From: Hanno Böck <hanno () hboeck de>
Date: Thu, 14 May 2020 10:21:17 +0200
BigBlueButton was vulnerable to Cross Site Scripting in the Presentation upload. When one uploads a presentation that is an HTML payload, but named as an image (e.g. "foo.png") and allows download the download would be served with an HTML mime type and executed in the browser. Proof of concept: * create file named foo.png with content: <html><script>alert(document.domain)</script> * Upload as presentation, allow download. * Click on download. I reported this to the BigBlueButton developers, but was informed that at this point it was already fixed. It was previously reported here [1]. [1] https://github.com/bigbluebutton/bigbluebutton/pull/9102 -- Hanno Böck https://hboeck.de/
Current thread:
- XSS in BigBlueButton < 2.2.6 Hanno Böck (May 14)