Stored Cross-Site Scripting Vulnerability in BigBlueButton's Shared Notes Feature
CVE-2025-55200

7.1HIGH

Key Information:

Vendor

Bigbluebutton

Status
Bigbluebutton
Vendor
CVE Published:
9 October 2025

What is CVE-2025-55200?

The BigBlueButton virtual classroom platform has a Stored Cross-Site Scripting (XSS) vulnerability affecting its 'Shared Notes' feature in versions prior to 3.0.13. This vulnerability arises when a user with malicious intent can exploit the 'Username' input field to inject arbitrary JavaScript. If an elevated privilege user, such as an Administrator, accesses the 'Shared Notes' page, the injected script is executed, potentially compromising user sessions and sensitive data. This issue has been addressed in version 3.0.13.

Affected Version(s)

bigbluebutton < 3.0.13

References

https://github.com/bigbluebutton/bigbluebutton/security/a...
x_refsource_CONFIRM
https://github.com/bigbluebutton/bbb-pads/pull/67
x_refsource_MISC
https://github.com/bigbluebutton/bigbluebutton/pull/23693
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-55200 : Stored Cross-Site Scripting Vulnerability in BigBlueButton's Shared Notes Feature