CVE-2025-55200

High CVSS: 7.1

BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.13, the "Shared Notes" feature contains a Stored Cross-Site Scripting (XSS) vulnerability with the input location being the "Username" field and the output location on the "Shared Notes" page, when a user with a malicious username is editing content. This vulnerability allows a low-privileged user to execute arbitrary JavaScript in the context of higher-privileged users (e.g., Admins) who open the Shared Notes page. Version 3.0.13 fixes the issue.

Vendor

Bigbluebutton

Product

Bigbluebutton

CWE

CWE-79

Yayın Tarihi

2025-10-09 19:15:43

Güncelleme

2025-10-20 15:30:19

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Bigbluebutton HIGH Bigbluebutton 2025

Referanslar

https://github.com/bigbluebutton/bbb-pads/pull/67 https://github.com/bigbluebutton/bbb-pads/releases/tag/v1.5.4 https://github.com/bigbluebutton/bigbluebutton/pull/23693 https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-9jv9-cjrm-grj2

Benzer Kayıtlar

Medium

CVE-2026-27736

BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received wi…

High

CVE-2026-27466

BigBlueButton is an open-source virtual classroom. In versions 3.0.21 and below, the official documentation for "Server…

Low

CVE-2026-27467

BigBlueButton is an open-source virtual classroom. In versions 3.0.19 and below, when first joining a session with the m…

High

CVE-2025-61601

BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 a…

High

CVE-2025-61602

BigBlueButton is an open-source virtual classroom. A denial-of-service (DoS) vulnerability in versions prior to 3.0.13 a…