Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN685 _____________________________________________________________________ DATE : 10/10/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running BigBlueButton versions prior to 3.0.13. ===================================================================== https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-9jv9-cjrm-grj2 https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5m8m-h7fj-8wx6 https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-73j3-v3fq-fqx5 https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-45j2-m26c-3pcm _____________________________________________________________________ Stored XSS via name of user at Shared Notes High antobinary published GHSA-9jv9-cjrm-grj2 Oct 9, 2025 Package No package listed Affected versions <=3.0.12 Patched versions 3.0.13 Description Summary The “Shared Notes” feature contains a Stored Cross-Site Scripting (XSS) vulnerability with the following input and output locations: Input: The “Username” field Output: On the "Shared Notes" page, when a user with a malicious username is editing content. Patches Patch on BigBlueButton 3.0.13: bigbluebutton/bbb-pads#67 via https://github.com/bigbluebutton/bbb-pads/releases/tag/v1.5.4 via #23693 Workarounds We recommend upgrading to a patched version of BigBlueButton. Impact This vulnerability allows a low-privileged user to execute arbitrary JavaScript in the context of higher-privileged users (e.g., Admins) who open the Shared Notes page. Potential impacts include: Installing keyloggers to capture user input Performing actions on behalf of the victim (session hijacking) Displaying fake login forms or redirecting victims to malicious websites Severity High 7.1/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Unchanged Confidentiality High Integrity Low Availability None CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N CVE ID CVE-2025-55200 Weaknesses Weakness CWE-80 Credits @brocked200 brocked200 Reporter @ducctrungg ducctrungg Reporter _____________________________________________________________________ Reacting to messages can make the chat unusable. High antobinary published GHSA-5m8m-h7fj-8wx6 Oct 9, 2025 Package No package listed Affected versions <=3.0.12 Patched versions 3.0.13 Description Summary If the reactionEmojiId is manipulated to an invalid value when reacting to a message with emojis, the chat crashes and no messages can be sent or received on the web interface. Older messages also become inaccessible. Details There is no validation for the reactionEmojiId parameter when reacting to messages. PoC Use Burp Suite or any other proxy tool to intercept the WebSocket request that sends the reaction. For example: { "id":"748d3843-2481-46cc-8222-1e9acdfabbe6", "type":"subscribe", "payload":{ "variables":{ "chatId":"MAIN-PUBLIC-GROUP-CHAT", "messageId":"1753867137943-sqonzcif", "reactionEmoji":"👍", "reactionEmojiId":"+1" }, "extensions":{}, "query":"mutation ($chatId: String!, $messageId: String!, $reactionEmoji: String!, $reactionEmojiId: String!) {\n chatSendMessageReaction(\n chatId: $chatId\n messageId: $messageId\n reactionEmoji: $reactionEmoji\n reactionEmojiId: $reactionEmojiId\n )\n}" } } Setting the reactionEmojiId parameter to an invalid value (e.g. changing it from +1 to +10) and forwarding the request crashes the chat, rendering it unusable. Impact Denial of Service. Chat is unusable. Effected is everyone who wants to use the Chat in BigBlueButton-Rooms. Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2025-61602 Weaknesses Weakness CWE-400 Weakness CWE-754 Credits @Rand0x Rand0x Reporter _____________________________________________________________________ DoS via PollSubmitVote GraphQL mutation leads to BigBlueButton server crash High antobinary published GHSA-73j3-v3fq-fqx5 Oct 9, 2025 Package No package listed Affected versions <=3.0.12 Patched versions 3.0.13 Description Summary A Denial of Service (DoS) vulnerability in BigBlueButton allows any authenticated user to freeze or crash the entire server by abusing the polling feature's Choices response type. By submitting a malicious payload with a massive array in the answerIds field, the attacker can cause the current meeting—and potentially all meetings on the server—to become unresponsive. Details BigBlueButton uses GraphQL to process poll answers. When a user responds to a poll, the following GraphQL mutation is sent: { "operationName": "PollSubmitVote", "variables": { "pollId": "33b02ba2abac8cfd9ac6e9f8e4a373a6e56a008c-1754021521159/1/1754021669137", "answerIds": [0] }, "query": "mutation PollSubmitVote($pollId: String!, $answerIds: [Int]!) {\n pollSubmitUserVote(pollId: $pollId, answerIds: $answerIds)\n}" } The answerIds field is an array of integers representing the selected answers. Normally, this contains a small number of items (e.g., [0]). However, the backend fails to properly validate the size of this array. An attacker can exploit this by submitting an excessively large answerIds array, such as: "answerIds": [0,0,0,0,0,...] // hundreds of thousands of entries After submitting the oversized array, the current meeting immediately becomes unresponsive—chat, webcam, and other features freeze. Refreshing the page results in an error page: “Oops, something went wrong” Worse, in testing, even newly created meetings using a different user account on the same server also returned the same error. This indicates that the vulnerability crashes or freezes the entire BigBlueButton backend, not just the current session. PoC Join any active BigBlueButton meeting. Start a poll with type Choices (e.g., single choice). Intercept the GraphQL request using a proxy (e.g., Burp Suite). Modify the request body and replace: "answerIds": [0] with "answerIds": [0, 0, 0, ..., 0] // e.g., 100,000+ entries Forward the modified request. Observe that the meeting becomes unresponsive. Try joining other meetings or creating a new one on the same server – they may also fail with an “Oops, something went wrong” error. Video PoC: https://www.youtube.com/watch?v=BwROSVIYjOY Impact Vulnerability Type: Denial of Service (DoS) Affected Component: pollSubmitUserVote GraphQL mutation Impact: Freezes the current meeting Potentially crashes the entire BigBlueButton server Affects all users and meetings No rate limiting or payload size restriction is enforced on answerIds Patches BigBlueButton 3.0.13 patch #23662 Workaround There are no workarounds. We recommend upgrading to a patched version of BigBlueButton. Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2025-61601 Weaknesses Weakness CWE-703 Credits @brocked200 brocked200 Reporter @ducctrungg ducctrungg Reporter _____________________________________________________________________ Chat DoS via invalid reactionEmojiId in BigBlueButton High antobinary published GHSA-45j2-m26c-3pcm Oct 9, 2025 Package No package listed Affected versions <=3.0.12 Patched versions 3.0.13 Description Summary A denial-of-service (DoS) vulnerability in BigBlueButton allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed reactionEmojiId in the GraphQL mutation chatSendMessageReaction. Details When a user reacts to a message in the public chat, the client sends the following GraphQL mutation: { "id": "8e2ba91f-1718-499e-a7b4-40cc90311f89", "type": "subscribe", "payload": { "variables": { "chatId": "MAIN-PUBLIC-GROUP-CHAT", "messageId": "1753951730009-nwbtwgjg", "reactionEmoji": "😀", "reactionEmojiId": "grinning" }, "extensions": {}, "query": "mutation ($chatId: String!, $messageId: String!, $reactionEmoji: String!, $reactionEmojiId: String!) {\n chatSendMessageReaction(\n chatId: $chatId\n messageId: $messageId\n reactionEmoji: $reactionEmoji\n reactionEmojiId: $reactionEmojiId\n )\n}" } } However, the reactionEmojiId parameter is not validated on the server. A malicious user can send an invalid value (e.g. grinning123-dos) which causes the application to crash the chat UI with the following error: An error occurred Cannot read properties of undefined (reading 'skins') PoC Join any BigBlueButton meeting (e.g. via demo6.bigbluebutton.org). Open the browser developer tools and intercept the GraphQL WebSocket payload. Modify the reactionEmojiId to an invalid value like "grinning123". Send the modified GraphQL mutation. Observe that the chat crashes for all users in the meeting, with the error message: An error occurred Cannot read properties of undefined (reading 'skins') (See attached screenshots for confirmation.) image image image image Impact A malicious user can break the chat functionality for all participants in a meeting by sending a crafted reactionEmojiId. This causes a frontend crash (Cannot read properties of undefined) and prevents users from reading or sending messages, effectively disrupting communication in the session. Workarounds There are no workarounds. We recommend upgrading to a patched version of BigBlueButton. Patches BigBlueButton 3.0.13 patch: #23651 Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2025-61602 Weaknesses Weakness CWE-703 Credits @brocked200 brocked200 Reporter @ducctrungg ducctrungg Reporter ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================