BigBlueButton Greenlight Cross-site-scripting vulnerability
BigBlueButton’s front-end interface Greenlight version 2.11.2 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the “Share Room Access” dialog. A threat actor could inject XSS payload in the username field. The payload gets executed in the “Share Room Access” dialog if the victim has shared access to the room with the attacker previously.
To exploit the vulnerability, an attacker needs an active user account in the Greenlight application. Additionally, the victim needs to have shared access to a room with the attacker.
mgm security partners found this vulnerability during a security analysis of the BigBlueButton software ordered by the Federal Office for Information Security in Germany (BSI).
- 4 March 2022: the vulnerability was reported to the BigBlueButton developer team
- 15 April 2022: Greenlight version 2.12.0 containing the patch for the reported vulnerability was released