CVE-2025-55200
HIGHBigBlueButton < 3.0.13 - Stored Cross-Site Scripting via Username Field in Shared Notes
Title source: llmDescription
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.13, the "Shared Notes" feature contains a Stored Cross-Site Scripting (XSS) vulnerability with the input location being the "Username" field and the output location on the "Shared Notes" page, when a user with a malicious username is editing content. This vulnerability allows a low-privileged user to execute arbitrary JavaScript in the context of higher-privileged users (e.g., Admins) who open the Shared Notes page. Version 3.0.13 fixes the issue.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_confirm
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-9jv9-cjrm-grj2
Issue Tracking, Product x_refsource_misc
https://github.com/bigbluebutton/bbb-pads/pull/67
Issue Tracking, Patch x_refsource_misc
https://github.com/bigbluebutton/bigbluebutton/pull/23693
Release Notes x_refsource_misc
https://github.com/bigbluebutton/bbb-pads/releases/tag/v1.5.4
Scores
CVSS v3
7.1
EPSS
0.0022
EPSS Percentile
12.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
bigbluebutton/bigbluebutton
< 3.0.13
Published
Oct 09, 2025
Tracked Since
Feb 18, 2026