Devme4Ff

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions prior to 2.6.11 BigBlueButton versions prior to 2.7.0-beta.3 **Description** The issue affects BigBlueButton, an open-source virtual classroom, where the Guest Lobby is vulnerable to cross-site scripting. This occurs when users wait to enter a meeting due to the insertion of unsanitized messages into an element using unsafe innerHTML. The vulnerability is addressed by adding text sanitizing for lobby messages. **Recommendations** For BigBlueButton versions prior to 2.6.11, update to version 2.6.11 or later to resolve the issue. For BigBlueButton versions prior to 2.7.0-beta.3, update to version 2.7.0-beta.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions prior to 2.6.12 BigBlueButton versions prior to 2.7.0-rc.1 **Description** The issue is related to Server-Side Request Forgery (SSRF), which is a bypass of a previously known problem. A patch was applied to disable follow redirect at `httpclient.execute` since the software no longer has to follow it when using `finalUrl`. There are no known workarounds for this issue. **Recommendations** For BigBlueButton versions prior to 2.6.12, upgrade to version 2.6.12 or later. For BigBlueButton versions prior to 2.7.0-rc.1, upgrade to version 2.7.0-rc.1 or later.