Wij zijn |

Stored XSS in BigBlueButton

Pentests.nl has discovered a vulnerability in BigBlueButton (version 2.4.7 and prior) which could be exploited to perform stored Cross-Site Scripting (XSS) attacks by sending private messages to users.

About BigBlueButton

BigBlueButton is an open source web conferencing system designed for online meetings and online learning. BigBlueButton is a tool used by instructors and teachers, which helps them access to Learning Management Systems, engagement tools and analytics.


The XSS vulnerability can be triggered by joining a room with a XSS payload as username and send a private message to a user.

Cross-Site Scripting BigBlueButton


A successful exploit allows attackers to inject malicious JavaScript code. Doing this could lead to multiple exploitation scenarios using XSS in BigBlueButton, including adding an administrator account.

CVSS score: 7.2 High
CVSS string: 3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N


Update BigBlueButton to version 2.48 or 2.5.

Disclosure timeline

24-03-2022 – Bug discovered, initial report to BigBlueButton team
01-04-2022 – A reminder sent
03-04-2022 – Vulnerability acknowledgement by BigBlueButton
09-06-2022 – Private patch was released and pentests.nl verified the patch
09-06-2022 – Public patch was released for versions 2.4 and 2.5 from BigBlueButton
22-06-2022 – Full disclosure



Hoe kunnen wij u helpen?

Verander regelmatig je wachtwoord!

Gebruik van oude wachtwoorden voor administrators kan ernstige risico’s met zich meebrengen voor het bedrijfsnetwerk. Zorg ervoor dat wachtwoorden regelmatig geüpdatet worden om inbraken te voorkomen en de beveiliging van het netwerk te verbeteren.

read more