The developers of the open-source web conferencing system BigBlueButton (BBB) for Windows and Linux servers have eliminated several possible attacks with an update to version 3.0.13.
Continue after ad
Under certain circumstances, authenticated attackers could have remotely abused three vulnerabilities with a high degree of severity ("High") to sabotage the chat functions of all users during video conferences or execute malicious scripts via cross-site scripting (XSS). In addition, it was also possible to crash the current meeting or, in the worst case, all online conferences currently taking place on the server in question (denial of service).
So far, nothing is known about exploits or attempted attacks in the wild. Nevertheless, a prompt update is recommended.
BBB is designed for use in educational institutions and is also used in schools and universities in this country. It can be integrated into common learning and content management systems such as IServ, Moodle or ILIAS and includes features for online presentations, shared notes and voting.
The current security vulnerabilities CVE-2025-55200 (XSS, CVSS v3 score 7.1), CVE-2025-61601 (DoS, 7.5) and CVE-2025-61602 (DoS, 7.5) are based on some of these features. A user logged in as a meeting participant with a specially prepared nickname can trigger the XSS vulnerability by entering certain shared notes. The "crashing" of a meeting is based on malicious entries in the voting function. And the chat crashes if an insufficiently validated emoji parameter is manipulated. The latter can be done quite easily using the browser's developer tools.
More technical details about the vulnerabilities can be found on GitHub:
An update to version 3.0.13 closes the security gaps. The developers advise affected educational institutions that host BBB on their own servers to update the software; there are no workarounds.
Considering the detailed attack descriptions on GitHub, prompt action is advisable.
