Description

BigBlueButton’s front-end interface Greenlight version 2.11.2 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the “Share Room Access” dialog. A threat actor could inject XSS payload in the username field. The payload gets executed in the “Share Room Access” dialog if the victim has shared access to the room with the attacker previously.

Affected Component

BigBlueButton/Greenlight

Attack Type

Remote

Attack Vectors

To exploit the vulnerability, an attacker needs an active user account in the Greenlight application. Additionally, the victim needs to have shared access to a room with the attacker.

Reference

https://github.com/bigbluebutton/greenlight/releases/tag/release-2.12.0.

Discoverer

mgm security partners found this vulnerability during a security analysis of the BigBlueButton software ordered by the Federal Office for Information Security in Germany (BSI).

Timeline

• 4 March 2022: the vulnerability was reported to the BigBlueButton developer team

• 15 April 2022: Greenlight version 2.12.0 containing the patch for the reported vulnerability was released