What's New in BigBlueButton 3.0.29

BigBlueButton 3.0.29 is a security-only release, containing fixes for four vulnerabilities. The BigBlueButton team advises administrators to update their installations to protect against these issues.

Blocked Embeddable Shape Types in Whiteboard Annotations

A security issue allowed embeddable shape types in whiteboard annotations, which could be used for malicious purposes. This has been blocked to prevent potential abuse.

Rejected GET-Only Endpoint Requests with Request Bodies

The API now rejects GET-only endpoints that receive a request body. This prevents a class of invalid requests that could lead to unexpected behavior.

Prevented Stored XSS in Recording Playback

A stored cross-site scripting vulnerability in recording playback has been fixed. This prevents attackers from injecting scripts that would execute during playback.

Verified Meeting ID on Presentation Delete Messages

When processing presentation deletion requests, the system now verifies the meeting ID. This ensures only authorized deletions are allowed.

These fixes were contributed by germanocaumo, Tainan404, and paultrudel. Administrators are encouraged to apply this update as soon as possible.