BigBlueButton prior to 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used.
bigbluebutton bigbluebutton