Primary

Context

BigBlueButton Stored Cross-Site Scripting Vulnerability in Shared Notes Feature

Vulnerability

Patched

A stored cross-site scripting vulnerability has been identified in BigBlueButton versions prior to 3.0.13, specifically within the 'Shared Notes' feature. The issue arises when a user with a malicious username inputs data that is not properly sanitized. This malicious script is then executed on the 'Shared Notes' page, but only when viewed by users with higher privileges, such as Admins. As a result, low-privileged users can execute arbitrary JavaScript in the context of these higher-privileged users.

Impact

Exploitation of this vulnerability allows low-privileged users to execute arbitrary JavaScript in the context of higher-privileged users, such as Admins, who access the Shared Notes page. This could lead to various malicious actions, such as session hijacking, installing keyloggers, or redirecting users to malicious websites.

Remediation

Users are advised to upgrade to BigBlueButton version 3.0.13 or later, where this vulnerability has been patched.

Added: Oct 9, 2025, 7:18 PM

Updated: Oct 9, 2025, 7:18 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

5.4

exploitability

5.4

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

5.4

exploitability

5.4

remediation

7.7

relevance

0.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

BigBlueButton Stored Cross-Site Scripting Vulnerability in Shared Notes Feature

Vulnerability

Impact

Remediation

Affected Products

BigBlueButton

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating