oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

XSS in BigBlueButton < 2.2.6

From: Hanno Böck <hanno () hboeck de>
Date: Thu, 14 May 2020 10:21:17 +0200
BigBlueButton was vulnerable to Cross Site Scripting in the
Presentation upload.

When one uploads a presentation that is an HTML payload, but named as
an image (e.g. "foo.png") and allows download the download would be
served with an HTML mime type and executed in the browser.

Proof of concept:
* create file named foo.png with content:
<html><script>alert(document.domain)</script>
* Upload as presentation, allow download.
* Click on download.

I reported this to the BigBlueButton developers, but was informed that
at this point it was already fixed. It was previously reported here [1].


[1] https://github.com/bigbluebutton/bigbluebutton/pull/9102

-- 
Hanno Böck
https://hboeck.de/
Previous By Date Next
Previous By Thread Next

Current thread: