Wij zijn |

Stored XSS in BigBlueButton

Pentests.nl has discovered a vulnerability in BigBlueButton (version 2.4.7 and prior) which could be exploited to perform stored Cross-Site Scripting (XSS) attacks by sending private messages to users.

About BigBlueButton

BigBlueButton is an open source web conferencing system designed for online meetings and online learning. BigBlueButton is a tool used by instructors and teachers, which helps them access to Learning Management Systems, engagement tools and analytics.


The XSS vulnerability can be triggered by joining a room with a XSS payload as username and send a private message to a user.

Cross-Site Scripting BigBlueButton


A successful exploit allows attackers to inject malicious JavaScript code. Doing this could lead to multiple exploitation scenarios using XSS in BigBlueButton, including adding an administrator account.

CVSS score: 7.2 High
CVSS string: 3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N


Update BigBlueButton to version 2.48 or 2.5.

Disclosure timeline

24-03-2022 – Bug discovered, initial report to BigBlueButton team
01-04-2022 – A reminder sent
03-04-2022 – Vulnerability acknowledgement by BigBlueButton
09-06-2022 – Private patch was released and pentests.nl verified the patch
09-06-2022 – Public patch was released for versions 2.4 and 2.5 from BigBlueButton
22-06-2022 – Full disclosure



Hoe kunnen wij u helpen?

Server header verwijderen

Ontdek hoe je de Server-header in HTTP-responses beheert voor IIS, Nginx en Apache om je webserver veiliger te maken. Veiligheid is geen luxe, maar een noodzaak.

read more

Certified Az Red Team Professional (CARTP) review

In this blog post, I share my personal journey and insights from undertaking the Certified Azure Red Team Professional (CARTP) certification offered by Altered Security (former Pentester Academy). The course is a mix of lectures, demos, exercises, and hands-on practice, with a strong focus on methodology and techniques rather than specific tools.

read more