Add your offcanvas content in here

The Company

Portfolio

Overview Application Security

Simplifying your IT-security journey.

Knowledge & News

BigBlueButton Greenlight Cross-site-scripting vulnerability

April 14, 2022 |
Tags: SAST SCA
Kategorie: CVE News

Persistent XSS vulnerability in BigBlueButton Greenlight: Exploiting Sharing Features (CVE-2022-26497)

Digital meeting platforms like BigBlueButton simplify and enhance the flexibility of virtual collaboration but also place high demands on IT security. As part of a security analysis commissioned by the German Federal Office for Information Security (BSI), we discovered a serious vulnerability in Greenlight, the frontend interface of BigBlueButton, affecting versions up to 2.11.2.

Due to insufficient validation in the "Share Room Access" dialog, an attacker could inject malicious JavaScript code via the username. This persistent Cross-Site Scripting (XSS) attack was activated whenever a room administrator granted the attacker access and later accessed the dialog. This vulnerability allowed attackers to abuse permissions, intercept confidential information, or manipulate the victim's browser.

Thanks to our notification, the vulnerability was quickly closed: This attack vector no longer exists since Greenlight version 2.12.0. In this article, we will show you how the vulnerability worked, what the risks are for your online meetings, and how you can specifically protect yourself and your company. Rely on tested solutions! We support you in effectively protecting your digital communication.

Description

The frontend interface Greenlight version 2.11.2 (or earlier) of BigBlueButton is vulnerable to persistent Cross-Site Scripting (XSS) in the "Share Room Access" dialog. An attacker could inject an XSS payload into the username field. The payload is executed in the "Share Room Access" dialog when the victim has previously granted the attacker access to the room.

Affected component: BigBlueButton/Greenlight

Attack type: Remote

Attack vectors: To exploit the vulnerability, an attacker needs an active user account in the Greenlight application. In addition, the victim must have granted the attacker access to a room.

Reference: https://github.com/bigbluebutton/greenlight/releases/tag/release-2.12.0.

Discoverer: mgm security partners discovered this vulnerability during a security analysis of the BigBlueButton software commissioned by the German Federal Office for Information Security (BSI).

Timeline:
March 4, 2022: The vulnerability was reported to the BigBlueButton development team.
April 15, 2022: Greenlight version 2.12.0 was released with the patch for the reported vulnerability.

The Author

Mirko Richter

Mirko Richter is a Software Security Consultant, Source Code Analysis Specialist and Training Manager for basic training courses up to advanced coding and Secure SDLC training. He has been involved in software development, architecture and security since the mid-90s. He is a speaker at conferences and author of several technical articles.