Impact
Users in meeting with private chat enabled.
Description
Pentests.nl has discovered a vulnerability in BigBlueButton which could be exploited to perform stored Cross-Site Scripting (XSS) attacks by sending private messages to users.
Patches
Patched on BigBlueButton 2.4.8 and higher.
Patched on BigBlueButton 2.5.0 and higher.
Workarounds
No workarounds.
References
Security advisory https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/
Patched on BigBlueButton 2.5 #15067
Patched on BigBlueButton 2.4 #15090
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank Rick Verdoes and Danny de Weille from Hackify - https://pentests.nl/, who examined the BigBlueButton code base and responsibly disclosed this vulnerability.
Impact
Users in meeting with private chat enabled.
Description
Pentests.nl has discovered a vulnerability in BigBlueButton which could be exploited to perform stored Cross-Site Scripting (XSS) attacks by sending private messages to users.
Patches
Patched on BigBlueButton 2.4.8 and higher.
Patched on BigBlueButton 2.5.0 and higher.
Workarounds
No workarounds.
References
Security advisory https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/
Patched on BigBlueButton 2.5 #15067
Patched on BigBlueButton 2.4 #15090
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank Rick Verdoes and Danny de Weille from Hackify - https://pentests.nl/, who examined the BigBlueButton code base and responsibly disclosed this vulnerability.