{"id":"CVE-2022-26497","details":"BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the \"Share room access\" dialog if the victim has shared access to the particular room with the attacker previously.","modified":"2026-04-12T05:04:50.192479Z","published":"2022-06-02T18:15:09.567Z","references":[{"type":"WEB","url":"http://packetstormsecurity.com/files/172143/Shannon-Baseband-acfg-pcfg-SDP-Attribute-Memory-Corruption.html"},{"type":"FIX","url":"https://www.mgm-sp.com/en/cve-2022-26497-bigbluebutton-greenlight-xss/"},{"type":"EVIDENCE","url":"https://github.com/bigbluebutton/greenlight/blob/master/app/assets/javascripts/room.js#L352"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/bigbluebutton/greenlight","events":[{"introduced":"0"},{"last_affected":"37a66dcc1ef3750f45ddd2427b714ffd69d3fd1b"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"2.11.1"}],"cpe":"cpe:2.3:a:bigbluebutton:greenlight:2.11.1:*:*:*:*:*:*:*"}}],"versions":["release-2.0.0","release-2.0.1","release-2.0.2","release-2.0.3","release-2.0.4","release-2.0.5","release-2.0.6","release-2.0.7","release-2.0.8","release-2.0.9","release-2.1.0","release-2.1.1","release-2.1.2","release-2.1.3","release-2.10.0","release-2.10.0.1","release-2.10.0.1-beta.1","release-2.10.0.2","release-2.10.0.3","release-2.11.0","release-2.11.1","release-2.2.0","release-2.2.1","release-2.2.2","release-2.2.3","release-2.3.0","release-2.3.1","release-2.3.2","release-2.3.3","release-2.3.4","release-2.4","release-2.4-b1","release-2.4-b2","release-2.4-b3","release-2.4-rc1","release-2.4.1","release-2.4.2","release-2.4.2-rc.1","release-2.5","release-2.5-rc.1","release-2.5.1","release-2.5.2","release-2.5.3","release-2.5.5","release-2.5.6","release-2.6","release-2.6.1","release-2.6.2","release-2.6.3","release-2.6.4","release-2.6.5","release-2.7","release-2.7.1","release-2.7.10","release-2.7.11","release-2.7.12","release-2.7.13","release-2.7.14","release-2.7.15","release-2.7.15.1","release-2.7.16","release-2.7.17","release-2.7.18","release-2.7.19","release-2.7.2","release-2.7.20","release-2.7.3","release-2.7.4","release-2.7.5","release-2.7.6","release-2.7.7","release-2.7.8","release-2.7.9","release-2.8","release-2.8.1","release-2.8.2","release-2.8.2.1","release-2.8.2.2","release-2.8.3","release-2.8.4","release-2.8.5","release-2.8.6","release-2.8.7","release-2.9.0","release-2.9.1","release-2.9.2","release-2.9.3-beta.1","release-2.9.3-beta.2","release-2.9.3-beta.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-26497.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}]}