BigBlueButton Cross-site-scripting vulnerability


BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed.

Affected Component


Attack Type


Attack Vectors

An attacker could inject XSS payloads in private chat and run arbitrary JavaScript on victim’s browser. This can be done when the attacker and the victim are in the same conference room.



mgm security partners found this vulnerability during a security analysis of the BigBlueButton software ordered by the Federal Office for Information Security in Germany (BSI).


  • 17 March 2022: the vulnerability was reported to the BigBlueButton developer team
  • 8 April 2022: reported vulnerability was patched in BigBlueButton 2.5
  • May 2022: the patch was backported to BigBlueButton 2.4