Date: Thu, 14 May 2020 10:21:17 +0200 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: XSS in BigBlueButton < 2.2.6 BigBlueButton was vulnerable to Cross Site Scripting in the Presentation upload. When one uploads a presentation that is an HTML payload, but named as an image (e.g. "foo.png") and allows download the download would be served with an HTML mime type and executed in the browser. Proof of concept: * create file named foo.png with content: <html><script>alert(document.domain)</script> * Upload as presentation, allow download. * Click on download. I reported this to the BigBlueButton developers, but was informed that at this point it was already fixed. It was previously reported here .  https://github.com/bigbluebutton/bigbluebutton/pull/9102 -- Hanno Böck https://hboeck.de/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.