What's New in BigBlueButton 3.0.24

This iteration of BigBlueButton 3.0 contains security fixes only. We encourage administrators to update to protect their instances.

Missing Authorization Allows Caption Injection

A vulnerability was discovered in the captioning system where a viewer could inject or overwrite captions without proper authorization. This issue is tracked as GHSA-q387-2q28-mg33 and has been resolved in this release.

Open Redirect via Logout URL

An open redirect vulnerability was found in the bigbluebutton/api/join endpoint through the logoutURL parameter. An attacker could potentially redirect users to a malicious site after logout. This issue is tracked as GHSA-cvwj-4pcp-f3g8 and has been fixed.

Administrators should update their servers to version 3.0.24 at their earliest convenience to ensure the security of their BigBlueButton installations.