Notice: Die Funktion wp_register_script wurde fehlerhaft aufgerufen. Nicht erkannte(r) Schlüssel im Parameter $args: defer. Unterstützte Schlüssel: strategy, in_footer, fetchpriority, module_dependencies Weitere Informationen: Debugging in WordPress (engl.). (Diese Meldung wurde in Version 7.0.0 hinzugefügt.) in /var/www/vhosts/mgm-sp.217-154-231-6.plesk.page/httpdocs/wp-includes/functions.php on line 6170

Notice: Die Funktion wp_register_script wurde fehlerhaft aufgerufen. Nicht erkannte(r) Schlüssel im Parameter $args: defer. Unterstützte Schlüssel: strategy, in_footer, fetchpriority, module_dependencies Weitere Informationen: Debugging in WordPress (engl.). (Diese Meldung wurde in Version 7.0.0 hinzugefügt.) in /var/www/vhosts/mgm-sp.217-154-231-6.plesk.page/httpdocs/wp-includes/functions.php on line 6170
BigBlueButton Cross-site-scripting vulnerability – mgm security partners
Notice: The wp_enqueue_script function was incorrect Called. Unrecognized key(s) in the $args parameter: async. Supported keys: strategy, in_footer, fetchpriority, module_dependencies. For more information: Debugging in WordPress. (This message was added in version 7.0.0.) in /var/www/vhosts/mgm-sp.217-154-231-6.plesk.page/httpdocs/wp-includes/functions.php online 6170

BigBlueButton Cross-site-scripting vulnerability

May 12, 2022 |
Tags: SAST SCA
Kategorie: CVE News

Persistent XSS in BigBlueButton Chat: Early Detection of Risks for Virtual Conferences (CVE-2022-27238)

Web conferences have become an indispensable part of the daily work routine for many companies. This makes it all the more important that the underlying platforms, such as BigBlueButton, meet the highest security standards. As part of an analysis commissioned by the German Federal Office for Information Security (BSI), we discovered a security-critical vulnerability in version 2.4.7 and earlier versions of BigBlueButton.

Due to an insufficient check of the private chat function, it was possible to store malicious code directly in the user name. Whenever the attacker sent the victim a private message or left the room, the code was executed in the victim's browser. This threatened the integrity of conferences and jeopardized the confidentiality and protection of sensitive data.

The report enabled a rapid remediation of the vulnerability: The problem was fixed with BigBlueButton version 2.5 and a later patch for version 2.4. In this article, you will learn how the vulnerability worked, what risks it posed, and what measures are now important to protect your web conferences. Secure your digital collaboration; we will be happy to support you in setting up a secure IT infrastructure.

Description

BigBlueButton version 2.4.7 (or earlier) is vulnerable to persistent Cross-Site Scripting (XSS) in the private chat function. An attacker could inject a JavaScript payload into their username. The payload is executed in the victim's browser each time the attacker sends a private message to the victim or when a notification is displayed that the attacker is leaving the room.

Affected component: BigBlueButton/Html-5

Attack type: Remote

Attack vectors: An attacker could inject XSS payloads into the private chat and execute arbitrary JavaScript code in the victim's browser. This is possible if the attacker and the victim are in the same conference room.

Reference: https://github.com/bigbluebutton/bigbluebutton/pull/14755.

Discoverer: mgm security partners discovered this vulnerability during a security analysis of the BigBlueButton software commissioned by the German Federal Office for Information Security (BSI).

Timeline:
March 17, 2022: The vulnerability was reported to the BigBlueButton developer team.
April 8, 2022: The reported vulnerability was fixed in BigBlueButton 2.5.
May 2022: The patch was backported to BigBlueButton 2.4.

The Author

Mirko Richter

Mirko Richter is a Software Security Consultant, Source Code Analysis Specialist and Training Manager for basic training courses up to advanced coding and Secure SDLC training. He has been involved in software development, architecture and security since the mid-90s. He is a speaker at conferences and author of several technical articles.