BigBlueButton Open Redirect Vulnerability in ApiController

An open redirect vulnerability has been identified in BigBlueButton versions 3.0.x prior to 3.0.20. The issue arises in the ApiController, where the errorRedirectUrl parameter is not properly validated before being used in the respondWithRedirect function. This lack of validation allows for untrusted URLs to be redirected to, potentially leading users to malicious sites. Organizations that upgraded from BigBlueButton 2.7.x to 3.0.x are particularly affected, as a code change in the new version introduced this redirect behavior for validation errors.

Impact

Exploitation of this vulnerability allows for open redirect behavior, where users can be sent to untrusted sites via manipulated redirect URLs. This could be used in phishing attacks or to bypass security controls that rely on URL validation.

Remediation

Users are advised to upgrade to BigBlueButton version 3.0.20, which addresses this vulnerability. Instructions for upgrading can be found in the BigBlueButton documentation.