Persistent XSS in BigBlueButton Chat: Early Detection of Risks for Virtual Conferences (CVE-2022-27238)
Web conferences have become an indispensable part of the daily work routine for many companies. This makes it all the more important that the underlying platforms, such as BigBlueButton, meet the highest security standards. As part of an analysis commissioned by the German Federal Office for Information Security (BSI), we discovered a security-critical vulnerability in version 2.4.7 and earlier versions of BigBlueButton.
Due to an insufficient check of the private chat function, it was possible to store malicious code directly in the user name. Whenever the attacker sent the victim a private message or left the room, the code was executed in the victim's browser. This threatened the integrity of conferences and jeopardized the confidentiality and protection of sensitive data.
The report enabled a rapid remediation of the vulnerability: The problem was fixed with BigBlueButton version 2.5 and a later patch for version 2.4. In this article, you will learn how the vulnerability worked, what risks it posed, and what measures are now important to protect your web conferences. Secure your digital collaboration; we will be happy to support you in setting up a secure IT infrastructure.
Description
BigBlueButton version 2.4.7 (or earlier) is vulnerable to persistent Cross-Site Scripting (XSS) in the private chat function. An attacker could inject a JavaScript payload into their username. The payload is executed in the victim's browser each time the attacker sends a private message to the victim or when a notification is displayed that the attacker is leaving the room.
Affected component: BigBlueButton/Html-5
Attack type: Remote
Attack vectors: An attacker could inject XSS payloads into the private chat and execute arbitrary JavaScript code in the victim's browser. This is possible if the attacker and the victim are in the same conference room.
Reference: https://github.com/bigbluebutton/bigbluebutton/pull/14755.
Discoverer: mgm security partners discovered this vulnerability during a security analysis of the BigBlueButton software commissioned by the German Federal Office for Information Security (BSI).
Timeline:
March 17, 2022: The vulnerability was reported to the BigBlueButton developer team.
April 8, 2022: The reported vulnerability was fixed in BigBlueButton 2.5.
May 2022: The patch was backported to BigBlueButton 2.4.
