CVE-2020-12113 | Closed Captions XSS – BigBlueButton

Back in April, as part of my penetration testing project at Catalyst IT, I conducted a test on an open source video conferencing system known as the BigBlueButton, an open source challenger to Zoom.

The BigBlueButton contains a closed captions module, that allows a user to manually type captions, and all users with captions enabled can see them at the bottom of the screen. While the ability to add captions is only restricted to moderator level permissions, this issue is exaggerated, as when the breakout room functionality is used, all users are granted moderator level permissions, allowing them to write captions.

When a payload is inserted into the captions editor, it instantly triggers and appears on the screen of all users. In the screenshot below, on the left, the user has the moderator level permission and is writing the closed captions in the text pad editor. On the right, the user has a standard account with captions enabled.

This issue existed due to ‘dangerouslySetInnerHTML’ being used in the React application. This issue was reported upstream and was fixed by the product owners under this pull request. The issue was also reported to MITRE on 2nd April, and following CVE was released for it accordingly on 23rd April; https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12113.