PILOS Cross-Site Request Forgery Vulnerability in Administrative API Endpoint

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PILOS, a frontend for BigBlueButton, in versions prior to 4.10.0. The vulnerability exists in an administrative API endpoint that terminates all active video conferences on a server. This endpoint, which performs a destructive action, is accessible via an HTTP GET request. While proper authorization checks are in place and the endpoint cannot be triggered cross-site, the use of GET allows the action to be inadvertently invoked through same-site content, such as embedded resources within the application. Consequently, an authenticated administrator who views manipulated content may unintentionally activate the endpoint, leading to the termination of all active video conferences on the server without explicit intent or confirmation.

Impact

Exploitation of this vulnerability allows for Cross-Site Request Forgery, where an authenticated administrator can unintentionally terminate all active video conferences on a server.

Reproduction

To reproduce this vulnerability, an authenticated administrator must view crafted content that exploits the same-site GET request vulnerability. This can be done by embedding a resource that triggers the administrative API endpoint without the administrator's knowledge.

Remediation

Users can upgrade to PILOS version 4.10.0 or later to address this vulnerability.