IDCVSSSummaryLast (major) updatePublished
CVE-2020-12113 4.3
BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used.
30-09-2020 - 18:15 23-04-2020 - 18:15
CVE-2020-12113 4.3
BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used.
30-09-2020 - 18:15 23-04-2020 - 18:15
CVE-2020-12443 7.5
BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation
06-05-2020 - 14:02 29-04-2020 - 02:15
CVE-2020-12112 5.0
BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion.
05-10-2022 - 18:38 23-04-2020 - 18:15
CVE-2020-25820 4.0
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.
29-10-2020 - 16:22 21-10-2020 - 13:15
CVE-2020-27610 5.0
The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access.
21-07-2021 - 11:39 21-10-2020 - 15:15
CVE-2020-27608 4.3
In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
29-10-2020 - 16:17 21-10-2020 - 15:15
CVE-2020-27611 7.5
BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint.
15-06-2022 - 03:16 21-10-2020 - 15:15
CVE-2020-27609 5.0
BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.
29-10-2020 - 16:12 21-10-2020 - 15:15
CVE-2020-27612 4.0
Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window.
29-10-2020 - 14:43 21-10-2020 - 15:15
CVE-2020-27605 7.5
BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
29-10-2020 - 17:23 21-10-2020 - 15:15
CVE-2020-27607 6.4
In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a m
29-10-2020 - 17:04 21-10-2020 - 15:15
CVE-2020-27613 4.6
The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access.
29-10-2020 - 14:40 21-10-2020 - 15:15
CVE-2020-27604 4.0
BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example)
30-10-2020 - 14:31 21-10-2020 - 15:15
CVE-2020-27603 5.0
BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.
29-10-2020 - 16:34 21-10-2020 - 15:15
CVE-2020-27606 5.0
BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
29-10-2020 - 17:15 21-10-2020 - 15:15
CVE-2020-28954 5.0
web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.
29-11-2020 - 23:41 19-11-2020 - 22:15
CVE-2020-28953 4.0
In BigBlueButton before 2.2.29, a user can vote more than once in a single poll.
21-07-2021 - 11:39 19-11-2020 - 22:15
CVE-2020-29043 5.0
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.
21-07-2021 - 11:39 26-11-2020 - 18:15
CVE-2020-29042 4.3
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.
29-11-2020 - 23:48 26-11-2020 - 18:15
CVE-2021-4143 4.3
Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0.
25-01-2022 - 14:37 19-01-2022 - 23:15
CVE-2022-27238 3.5
BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim
05-07-2022 - 21:01 24-06-2022 - 16:15
CVE-2022-41960 None
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim'
20-12-2022 - 19:07 16-12-2022 - 00:15
CVE-2022-41963 None
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their
20-12-2022 - 17:46 16-12-2022 - 14:15
CVE-2022-41962 None
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6, and 2.5-alpha-1 contain Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji status for o
20-12-2022 - 19:10 16-12-2022 - 13:15
CVE-2022-41961 None
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still jo
20-12-2022 - 19:09 16-12-2022 - 13:15
CVE-2022-23490 None
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.0 expose sensitive information to Unauthorized Actors. This issue affects meetings with polls, where the attacker is a meeting participant. Subscribing to the current-poll
22-12-2022 - 17:55 16-12-2022 - 22:15
CVE-2022-23488 None
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker
27-06-2023 - 15:11 17-12-2022 - 01:15
CVE-2023-33176 None
BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supp
05-07-2023 - 17:49 26-06-2023 - 20:15
Back to Top Mark selected
Back to Top