BigBlueButton Denial-of-Service Vulnerability in Chat Functionality

A denial-of-service vulnerability has been identified in BigBlueButton versions prior to 3.0.13. This vulnerability allows any authenticated user to disrupt the chat functionality for all participants in a meeting. The issue arises when a malformed 'reactionEmojiId' is sent through the 'chatSendMessageReaction' GraphQL mutation. The server fails to validate this parameter, leading to a crash in the chat user interface. As a result, users are unable to read or send messages, effectively halting communication during the session.

Impact

Exploitation of this vulnerability causes the chat interface to crash for all users in the meeting, displaying an error message that interrupts the chat functionality. This disruption prevents users from sending or receiving messages, thereby interfering with communication during the session.

Reproduction

To reproduce this vulnerability, join a BigBlueButton meeting with chat reactions enabled. Once in the meeting, open the browser's developer tools to intercept the GraphQL WebSocket payload. Modify the 'reactionEmojiId' parameter to an invalid value, such as 'grinning123-dos', and send the altered mutation. This will cause the chat to crash for all participants, accompanied by an error message indicating a failure to read properties of 'undefined'.

Remediation

Users are advised to upgrade to BigBlueButton version 3.0.13, which includes a patch for this vulnerability.