Vulnerabilites related to bigbluebutton - bigbluebutton
CVE-2022-23488 (GCVE-0-2022-23488)
Vulnerability from cvelistv5
Published
2022-12-17 00:28
Modified
2025-04-17 14:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: < 2.4-rc-6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.414Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23488",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T14:33:10.326288Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T14:33:18.205Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4-rc-6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers\u0027 webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-17T00:28:46.567Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
}
],
"source": {
"advisory": "GHSA-j5g3-f74q-rvfq",
"discovery": "UNKNOWN"
},
"title": "BigBlueButton vulnerable to Insertion of Sensitive Information Into Sent Data"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23488",
"datePublished": "2022-12-17T00:28:46.567Z",
"dateReserved": "2022-01-19T21:23:53.762Z",
"dateUpdated": "2025-04-17T14:33:18.205Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43798 (GCVE-0-2023-43798)
Vulnerability from cvelistv5
Published
2023-10-30 22:24
Modified
2024-09-05 20:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at `httpclient.execute` since the software no longer has to follow it when using `finalUrl`. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-h98v-2h8w-99c4 | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/pull/18494 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/pull/18580 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: < 2.6.12 Version: >= 2.7.0-alpha.1, < 2.7.0-rc.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:52:11.270Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-h98v-2h8w-99c4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-h98v-2h8w-99c4"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/18494",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18494"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/18580",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18580"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43798",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T20:19:07.980053Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T20:19:17.331Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.12"
},
{
"status": "affected",
"version": "\u003e= 2.7.0-alpha.1, \u003c 2.7.0-rc.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at `httpclient.execute` since the software no longer has to follow it when using `finalUrl`. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-30T22:24:59.109Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-h98v-2h8w-99c4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-h98v-2h8w-99c4"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/18494",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18494"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/18580",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18580"
}
],
"source": {
"advisory": "GHSA-h98v-2h8w-99c4",
"discovery": "UNKNOWN"
},
"title": "BigBlueButton Blind SSRF When Uploading Presentation (mitigation bypass)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-43798",
"datePublished": "2023-10-30T22:24:59.109Z",
"dateReserved": "2023-09-22T14:51:42.340Z",
"dateUpdated": "2024-09-05T20:19:17.331Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12113 (GCVE-0-2020-12113)
Vulnerability from cvelistv5
Published
2020-04-23 17:53
Modified
2024-08-04 11:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.2.4 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/pull/9017 | x_refsource_MISC | |
| https://www.sakshamanand.com/cve-2020-12113/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:58.232Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.2.4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/9017"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sakshamanand.com/cve-2020-12113/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-09-30T15:30:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.2.4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/9017"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sakshamanand.com/cve-2020-12113/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12113",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.2.4",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.2.4"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/9017",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/9017"
},
{
"name": "https://www.sakshamanand.com/cve-2020-12113/",
"refsource": "MISC",
"url": "https://www.sakshamanand.com/cve-2020-12113/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12113",
"datePublished": "2020-04-23T17:53:47",
"dateReserved": "2020-04-23T00:00:00",
"dateUpdated": "2024-08-04T11:48:58.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41964 (GCVE-0-2022-41964)
Vulnerability from cvelistv5
Published
2022-12-16 17:17
Modified
2025-04-17 15:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
BigBlueButton is an open source web conferencing system. This vulnerability only affects release candidates of BigBlueButton 2.4. The attacker can start a subscription for poll results before starting an anonymous poll, and use this subscription to see individual responses in the anonymous poll. The attacker had to be a meeting presenter. This issue is patched in version 2.4.0. There are no workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-fgmj-rx7j-fqr4 | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: >= 2.4-alpha-1, < 2.4.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:39.086Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-fgmj-rx7j-fqr4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-fgmj-rx7j-fqr4"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41964",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T15:34:05.525062Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T15:34:13.275Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.4-alpha-1, \u003c 2.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. This vulnerability only affects release candidates of BigBlueButton 2.4. The attacker can start a subscription for poll results before starting an anonymous poll, and use this subscription to see individual responses in the anonymous poll. The attacker had to be a meeting presenter. This issue is patched in version 2.4.0. There are no workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-16T17:17:15.394Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-fgmj-rx7j-fqr4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-fgmj-rx7j-fqr4"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0"
}
],
"source": {
"advisory": "GHSA-fgmj-rx7j-fqr4",
"discovery": "UNKNOWN"
},
"title": "BigBlueButton contains Response leaks in anonymous polls"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-41964",
"datePublished": "2022-12-16T17:17:15.394Z",
"dateReserved": "2022-09-30T16:38:28.949Z",
"dateUpdated": "2025-04-17T15:34:13.275Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41963 (GCVE-0-2022-41963)
Vulnerability from cvelistv5
Published
2022-12-16 13:00
Modified
2025-04-17 15:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-281 - Improper Preservation of Permissions
Summary
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access is revoked. The attacker must be a meeting participant. This issue is patched in version 2.4.3 an version 2.5-alpha-1
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6p9-926c-6qfp | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: < 2.4.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:39.169Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6p9-926c-6qfp",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6p9-926c-6qfp"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41963",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T15:35:36.300523Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T15:35:44.332Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access is revoked. The attacker must be a meeting participant. This issue is patched in version 2.4.3 an version 2.5-alpha-1"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-281",
"description": "CWE-281: Improper Preservation of Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-16T13:00:42.459Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6p9-926c-6qfp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6p9-926c-6qfp"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3"
}
],
"source": {
"advisory": "GHSA-v6p9-926c-6qfp",
"discovery": "UNKNOWN"
},
"title": "BigBlueButton contains Improper Preservation of Permissions for whiteboard"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-41963",
"datePublished": "2022-12-16T13:00:42.459Z",
"dateReserved": "2022-09-30T16:38:28.948Z",
"dateUpdated": "2025-04-17T15:35:44.332Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27603 (GCVE-0-2020-27603)
Vulnerability from cvelistv5
Published
2020-10-21 14:09
Modified
2024-08-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:44.905Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-21T18:18:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27603",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html",
"refsource": "MISC",
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27603",
"datePublished": "2020-10-21T14:09:38",
"dateReserved": "2020-10-21T00:00:00",
"dateUpdated": "2024-08-04T16:18:44.905Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61601 (GCVE-0-2025-61601)
Vulnerability from cvelistv5
Published
2025-10-09 20:29
Modified
2025-10-09 20:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-703 - Improper Check or Handling of Exceptional Conditions
Summary
BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's `Choices` response type. By submitting a malicious payload with a massive array in the `answerIds` field, the attacker can cause the current meeting — and potentially all meetings on the server — to become unresponsive. Version 3.0.13 contains a patch. No known workarounds are available.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-73j3-v3fq-fqx5 | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/pull/23662 | x_refsource_MISC | |
| https://www.youtube.com/watch?v=BwROSVIYjOY | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: < 3.0.13 |
{
"containers": {
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature\u0027s `Choices` response type. By submitting a malicious payload with a massive array in the `answerIds` field, the attacker can cause the current meeting \u2014 and potentially all meetings on the server \u2014 to become unresponsive. Version 3.0.13 contains a patch. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T20:29:25.006Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-73j3-v3fq-fqx5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-73j3-v3fq-fqx5"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/23662",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/23662"
},
{
"name": "https://www.youtube.com/watch?v=BwROSVIYjOY",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.youtube.com/watch?v=BwROSVIYjOY"
}
],
"source": {
"advisory": "GHSA-73j3-v3fq-fqx5",
"discovery": "UNKNOWN"
},
"title": "BigBlueButton vulnerable to DoS via PollSubmitVote GraphQL mutation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61601",
"datePublished": "2025-10-09T20:29:25.006Z",
"dateReserved": "2025-09-26T16:25:25.151Z",
"dateUpdated": "2025-10-09T20:29:25.006Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27606 (GCVE-0-2020-27606)
Vulnerability from cvelistv5
Published
2020-10-21 14:07
Modified
2024-08-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:45.377Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-21T18:19:52",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27606",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html",
"refsource": "MISC",
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27606",
"datePublished": "2020-10-21T14:07:44",
"dateReserved": "2020-10-21T00:00:00",
"dateUpdated": "2024-08-04T16:18:45.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29233 (GCVE-0-2022-29233)
Vulnerability from cvelistv5
Published
2022-06-01 23:15
Modified
2025-04-23 18:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3mr9-p9gw-cf33 | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/pull/13117 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/pull/14265 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-1 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: >= 2.2, < 2.3.18 Version: >= 2.4-alpha-1, < 2.4-rc-1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:54.102Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3mr9-p9gw-cf33"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/13117"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29233",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:06:20.431295Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:20:17.607Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.2, \u003c 2.3.18"
},
{
"status": "affected",
"version": "\u003e= 2.4-alpha-1, \u003c 2.4-rc-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-01T23:15:15.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3mr9-p9gw-cf33"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/13117"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-1"
}
],
"source": {
"advisory": "GHSA-3mr9-p9gw-cf33",
"discovery": "UNKNOWN"
},
"title": "Improper access control for breakout rooms in BigBlue Button",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29233",
"STATE": "PUBLIC",
"TITLE": "Improper access control for breakout rooms in BigBlue Button"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "bigbluebutton",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.2, \u003c 2.3.18"
},
{
"version_value": "\u003e= 2.4-alpha-1, \u003c 2.4-rc-1"
}
]
}
}
]
},
"vendor_name": "bigbluebutton"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3mr9-p9gw-cf33",
"refsource": "CONFIRM",
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3mr9-p9gw-cf33"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/13117",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/13117"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/14265",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-1",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-1"
}
]
},
"source": {
"advisory": "GHSA-3mr9-p9gw-cf33",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29233",
"datePublished": "2022-06-01T23:15:15.000Z",
"dateReserved": "2022-04-13T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:20:17.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27613 (GCVE-0-2020-27613)
Vulnerability from cvelistv5
Published
2020-10-21 14:08
Modified
2024-08-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:44.815Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-21T18:58:03",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27613",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html",
"refsource": "MISC",
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27613",
"datePublished": "2020-10-21T14:08:23",
"dateReserved": "2020-10-21T00:00:00",
"dateUpdated": "2024-08-04T16:18:44.815Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29169 (GCVE-0-2022-29169)
Vulnerability from cvelistv5
Published
2022-06-01 22:20
Modified
2025-04-23 18:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-20 - Improper Input Validation
Summary
BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service for the bbb-html5 service. The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). This function handles input by regexing and attackers can abuse that by providing some ReDos payload using `SmartWatch`. The maintainers removed `htmlclient/useragent` from versions 2.3.19, 2.4.7, and 2.5.0-beta.2. As a workaround, disable NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rwrv-p665-4vwp | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/pull/14886 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/pull/14896 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: >= 2.2, < 2.3.19 Version: >= 2.4.0, < 2.4.7 Version: >= 2.5-alpha-1, < 2.5.0-beta.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:54.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rwrv-p665-4vwp"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14886"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14896"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29169",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:54:39.682316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:20:31.969Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.2, \u003c 2.3.19"
},
{
"status": "affected",
"version": "\u003e= 2.4.0, \u003c 2.4.7"
},
{
"status": "affected",
"version": "\u003e= 2.5-alpha-1, \u003c 2.5.0-beta.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service for the bbb-html5 service. The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). This function handles input by regexing and attackers can abuse that by providing some ReDos payload using `SmartWatch`. The maintainers removed `htmlclient/useragent` from versions 2.3.19, 2.4.7, and 2.5.0-beta.2. As a workaround, disable NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20: Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-01T22:20:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rwrv-p665-4vwp"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14886"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14896"
}
],
"source": {
"advisory": "GHSA-rwrv-p665-4vwp",
"discovery": "UNKNOWN"
},
"title": "ReDoS on endpoint html5client/useragent in BigBlueButton",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29169",
"STATE": "PUBLIC",
"TITLE": "ReDoS on endpoint html5client/useragent in BigBlueButton"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "bigbluebutton",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.2, \u003c 2.3.19"
},
{
"version_value": "\u003e= 2.4.0, \u003c 2.4.7"
},
{
"version_value": "\u003e= 2.5-alpha-1, \u003c 2.5.0-beta.2"
}
]
}
}
]
},
"vendor_name": "bigbluebutton"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service for the bbb-html5 service. The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). This function handles input by regexing and attackers can abuse that by providing some ReDos payload using `SmartWatch`. The maintainers removed `htmlclient/useragent` from versions 2.3.19, 2.4.7, and 2.5.0-beta.2. As a workaround, disable NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20: Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rwrv-p665-4vwp",
"refsource": "CONFIRM",
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rwrv-p665-4vwp"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/14886",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14886"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/14896",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14896"
}
]
},
"source": {
"advisory": "GHSA-rwrv-p665-4vwp",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29169",
"datePublished": "2022-06-01T22:20:12.000Z",
"dateReserved": "2022-04-13T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:20:31.969Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42803 (GCVE-0-2023-42803)
Vulnerability from cvelistv5
Published
2023-10-30 18:11
Modified
2024-09-06 20:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Summary
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures. BigBlueButton 2.6.0-beta.2 contains a patch. There are no known workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-w98f-6x8w-xhjc | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/pull/15990 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: < 2.6.0-beta.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:30:24.327Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-w98f-6x8w-xhjc",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-w98f-6x8w-xhjc"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/15990",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15990"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42803",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-06T20:11:37.351065Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-06T20:12:00.883Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.0-beta.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures. BigBlueButton 2.6.0-beta.2 contains a patch. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-30T18:11:35.630Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-w98f-6x8w-xhjc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-w98f-6x8w-xhjc"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/15990",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15990"
}
],
"source": {
"advisory": "GHSA-w98f-6x8w-xhjc",
"discovery": "UNKNOWN"
},
"title": "BigBlueButton Unrestricted File Upload vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42803",
"datePublished": "2023-10-30T18:11:35.630Z",
"dateReserved": "2023-09-14T16:13:33.306Z",
"dateUpdated": "2024-09-06T20:12:00.883Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-4143 (GCVE-0-2021-4143)
Vulnerability from cvelistv5
Published
2022-01-19 22:20
Modified
2024-08-03 17:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0.
References
| ▼ | URL | Tags |
|---|---|---|
| https://huntr.dev/bounties/e67603e6-8497-4ab6-b93a-02c26407d443 | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/commit/62040bdcb3c2f993ba72ab89f4db2015e18d1706 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton/bigbluebutton |
Version: unspecified < 2.4.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:16:04.257Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/e67603e6-8497-4ab6-b93a-02c26407d443"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/62040bdcb3c2f993ba72ab89f4db2015e18d1706"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton/bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"lessThan": "2.4.0",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-19T22:20:09",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/e67603e6-8497-4ab6-b93a-02c26407d443"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/62040bdcb3c2f993ba72ab89f4db2015e18d1706"
}
],
"source": {
"advisory": "e67603e6-8497-4ab6-b93a-02c26407d443",
"discovery": "EXTERNAL"
},
"title": "Cross-site Scripting (XSS) - Generic in bigbluebutton/bigbluebutton",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2021-4143",
"STATE": "PUBLIC",
"TITLE": "Cross-site Scripting (XSS) - Generic in bigbluebutton/bigbluebutton"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "bigbluebutton/bigbluebutton",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "2.4.0"
}
]
}
}
]
},
"vendor_name": "bigbluebutton"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/e67603e6-8497-4ab6-b93a-02c26407d443",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/e67603e6-8497-4ab6-b93a-02c26407d443"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/62040bdcb3c2f993ba72ab89f4db2015e18d1706",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/62040bdcb3c2f993ba72ab89f4db2015e18d1706"
}
]
},
"source": {
"advisory": "e67603e6-8497-4ab6-b93a-02c26407d443",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2021-4143",
"datePublished": "2022-01-19T22:20:09",
"dateReserved": "2021-12-20T00:00:00",
"dateUpdated": "2024-08-03T17:16:04.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27612 (GCVE-0-2020-27612)
Vulnerability from cvelistv5
Published
2020-10-21 14:08
Modified
2024-08-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.bigbluebutton.org/admin/privacy.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:44.848Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.bigbluebutton.org/admin/privacy.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-21T18:23:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.bigbluebutton.org/admin/privacy.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27612",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.bigbluebutton.org/admin/privacy.html",
"refsource": "MISC",
"url": "https://docs.bigbluebutton.org/admin/privacy.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27612",
"datePublished": "2020-10-21T14:08:05",
"dateReserved": "2020-10-21T00:00:00",
"dateUpdated": "2024-08-04T16:18:44.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-29043 (GCVE-0-2020-29043)
Vulnerability from cvelistv5
Published
2020-11-26 17:49
Modified
2024-08-04 16:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/releases | x_refsource_MISC | |
| https://cxsecurity.com/issue/WLB-2020110211 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/160239/BigBlueButton-2.2.29-E-mail-Validation-Bypass.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:48:01.544Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cxsecurity.com/issue/WLB-2020110211"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/160239/BigBlueButton-2.2.29-E-mail-Validation-Bypass.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-28T18:06:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cxsecurity.com/issue/WLB-2020110211"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/160239/BigBlueButton-2.2.29-E-mail-Validation-Bypass.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-29043",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/releases"
},
{
"name": "https://cxsecurity.com/issue/WLB-2020110211",
"refsource": "MISC",
"url": "https://cxsecurity.com/issue/WLB-2020110211"
},
{
"name": "http://packetstormsecurity.com/files/160239/BigBlueButton-2.2.29-E-mail-Validation-Bypass.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/160239/BigBlueButton-2.2.29-E-mail-Validation-Bypass.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-29043",
"datePublished": "2020-11-26T17:49:43",
"dateReserved": "2020-11-24T00:00:00",
"dateUpdated": "2024-08-04T16:48:01.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27604 (GCVE-0-2020-27604)
Vulnerability from cvelistv5
Published
2020-10-21 14:09
Modified
2024-08-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | x_refsource_MISC | |
| https://docs.bigbluebutton.org/dev/api.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:45.447Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.bigbluebutton.org/dev/api.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-21T14:09:11",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.bigbluebutton.org/dev/api.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27604",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html",
"refsource": "MISC",
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"name": "https://docs.bigbluebutton.org/dev/api.html",
"refsource": "MISC",
"url": "https://docs.bigbluebutton.org/dev/api.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27604",
"datePublished": "2020-10-21T14:09:11",
"dateReserved": "2020-10-21T00:00:00",
"dateUpdated": "2024-08-04T16:18:45.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27602 (GCVE-0-2020-27602)
Vulnerability from cvelistv5
Published
2020-10-21 14:07
Modified
2024-08-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/commit/4bfd924c64da2681f4c037026021f47eb189d717 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:45.556Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/4bfd924c64da2681f4c037026021f47eb189d717"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-29T16:38:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/4bfd924c64da2681f4c037026021f47eb189d717"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27602",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/4bfd924c64da2681f4c037026021f47eb189d717",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/4bfd924c64da2681f4c037026021f47eb189d717"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27602",
"datePublished": "2020-10-21T14:07:37",
"dateReserved": "2020-10-21T00:00:00",
"dateUpdated": "2024-08-04T16:18:45.556Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-33176 (GCVE-0-2023-33176)
Vulnerability from cvelistv5
Published
2023-06-26 19:50
Modified
2024-11-12 15:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: >= 2.6.0, < 2.6.9 Version: < 2.5.18 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:39:35.770Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/18045",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18045"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/18052",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18052"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-33176",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-12T15:18:33.796074Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-12T15:18:46.803Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.6.0, \u003c 2.6.9"
},
{
"status": "affected",
"version": "\u003c 2.5.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-26T19:50:25.212Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/18045",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18045"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/18052",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18052"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71"
}
],
"source": {
"advisory": "GHSA-3q22-hph2-cff7",
"discovery": "UNKNOWN"
},
"title": "Blind SSRF When Uploading Presentation in BigBlueButton"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-33176",
"datePublished": "2023-06-26T19:50:25.212Z",
"dateReserved": "2023-05-17T22:25:50.696Z",
"dateUpdated": "2024-11-12T15:18:46.803Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29236 (GCVE-0-2022-29236)
Vulnerability from cvelistv5
Published
2022-06-01 23:25
Modified
2024-08-03 06:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-p93g-r9gm-9v6r | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/pull/13803 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/pull/14265 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: >= 2.2, < 2.3.18 Version: >= 2.4-alpha-1, < 2.4-rc-6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:54.254Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-p93g-r9gm-9v6r",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-p93g-r9gm-9v6r"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/13803",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/13803"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/14265",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.2, \u003c 2.3.18"
},
{
"status": "affected",
"version": "\u003e= 2.4-alpha-1, \u003c 2.4-rc-6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-08T18:44:12.855Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-p93g-r9gm-9v6r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-p93g-r9gm-9v6r"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/13803",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/13803"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/14265",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
}
],
"source": {
"advisory": "GHSA-p93g-r9gm-9v6r",
"discovery": "UNKNOWN"
},
"title": "Improper access control for pencil annotations in BigBlueButton"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29236",
"datePublished": "2022-06-01T23:25:12",
"dateReserved": "2022-04-13T00:00:00",
"dateUpdated": "2024-08-03T06:17:54.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41960 (GCVE-0-2022-41960)
Vulnerability from cvelistv5
Published
2022-12-15 23:56
Modified
2025-04-17 18:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Summary
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: < 2.4.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:38.614Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41960",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T18:07:07.915922Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T18:07:27.624Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim\u0027s userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim\u0027s client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-15T23:56:26.500Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1"
}
],
"source": {
"advisory": "GHSA-rgjp-3r74-g4cm",
"discovery": "UNKNOWN"
},
"title": "BigBlueButton contains DoS via failed authToken validation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-41960",
"datePublished": "2022-12-15T23:56:26.500Z",
"dateReserved": "2022-09-30T16:38:28.947Z",
"dateUpdated": "2025-04-17T18:07:27.624Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27608 (GCVE-0-2020-27608)
Vulnerability from cvelistv5
Published
2020-10-21 14:07
Modified
2024-08-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:44.818Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-21T18:51:24",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27608",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html",
"refsource": "MISC",
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27608",
"datePublished": "2020-10-21T14:07:51",
"dateReserved": "2020-10-21T00:00:00",
"dateUpdated": "2024-08-04T16:18:44.818Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-43797 (GCVE-0-2023-43797)
Vulnerability from cvelistv5
Published
2023-10-30 22:18
Modified
2024-09-05 20:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was added for lobby messages starting in versions 2.6.11 and 2.7.0-beta.3. There are no known workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q866-h73x | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/pull/18392 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/commit/304bc851a00558f99a908880f4ac44234a074c9d | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: < 2.6.11 Version: >= 2.7.0-alpha.1, < 2.7.0-beta.3 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:52:11.375Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q866-h73x",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q866-h73x"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/18392",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18392"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/304bc851a00558f99a908880f4ac44234a074c9d",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/304bc851a00558f99a908880f4ac44234a074c9d"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-43797",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T20:19:44.962386Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T20:20:01.467Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.11"
},
{
"status": "affected",
"version": "\u003e= 2.7.0-alpha.1, \u003c 2.7.0-beta.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was added for lobby messages starting in versions 2.6.11 and 2.7.0-beta.3. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-30T22:22:40.879Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q866-h73x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q866-h73x"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/18392",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18392"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/304bc851a00558f99a908880f4ac44234a074c9d",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/304bc851a00558f99a908880f4ac44234a074c9d"
}
],
"source": {
"advisory": "GHSA-v6wg-q866-h73x",
"discovery": "UNKNOWN"
},
"title": "BigBlueButton Stored Cross-site Scripting vulnerability at Guest Lobby"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-43797",
"datePublished": "2023-10-30T22:18:11.821Z",
"dateReserved": "2023-09-22T14:51:42.339Z",
"dateUpdated": "2024-09-05T20:20:01.467Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29234 (GCVE-0-2022-29234)
Vulnerability from cvelistv5
Published
2022-06-01 23:20
Modified
2025-04-23 18:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-285 - Improper Authorization
Summary
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s any lock setting in the meeting was changed. The attacker needs to be a participant in the meeting. Versions 2.3.18 and 2.4.1 contain a patch for this issue. There are currently no known workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-36vc-c338-6xjv | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/pull/13850 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/pull/14265 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.1 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: >= 2.2, < 2.3.18 Version: >= 2.4, < 2.4.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:54.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-36vc-c338-6xjv",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-36vc-c338-6xjv"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/13850",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/13850"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/14265",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29234",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:06:17.770450Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:20:10.802Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.2, \u003c 2.3.18"
},
{
"status": "affected",
"version": "\u003e= 2.4, \u003c 2.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s any lock setting in the meeting was changed. The attacker needs to be a participant in the meeting. Versions 2.3.18 and 2.4.1 contain a patch for this issue. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-08T18:46:00.400Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-36vc-c338-6xjv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-36vc-c338-6xjv"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/13850",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/13850"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/14265",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.1"
}
],
"source": {
"advisory": "GHSA-36vc-c338-6xjv",
"discovery": "UNKNOWN"
},
"title": "Grace period for lock settings in public/private chats in BigBlueButton"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29234",
"datePublished": "2022-06-01T23:20:14.000Z",
"dateReserved": "2022-04-13T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:20:10.802Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-25820 (GCVE-0-2020-25820)
Vulnerability from cvelistv5
Published
2020-10-21 13:01
Modified
2024-08-04 15:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T15:40:36.978Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.redteam-pentesting.de/advisories/rt-sa-2020-005"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/159667/BigBlueButton-2.2.25-File-Disclosure-Server-Side-Request-Forgery.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/71fe1eac1e5bd73a2cd44bd79c001086b250e435"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.26...v2.2.27"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-21T18:36:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.redteam-pentesting.de/advisories/rt-sa-2020-005"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/159667/BigBlueButton-2.2.25-File-Disclosure-Server-Side-Request-Forgery.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/71fe1eac1e5bd73a2cd44bd79c001086b250e435"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.26...v2.2.27"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-25820",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.redteam-pentesting.de/advisories/rt-sa-2020-005",
"refsource": "MISC",
"url": "https://www.redteam-pentesting.de/advisories/rt-sa-2020-005"
},
{
"name": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html",
"refsource": "MISC",
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"name": "http://packetstormsecurity.com/files/159667/BigBlueButton-2.2.25-File-Disclosure-Server-Side-Request-Forgery.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/159667/BigBlueButton-2.2.25-File-Disclosure-Server-Side-Request-Forgery.html"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/71fe1eac1e5bd73a2cd44bd79c001086b250e435",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/71fe1eac1e5bd73a2cd44bd79c001086b250e435"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.26...v2.2.27",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.26...v2.2.27"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-25820",
"datePublished": "2020-10-21T13:01:48",
"dateReserved": "2020-09-23T00:00:00",
"dateUpdated": "2024-08-04T15:40:36.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27611 (GCVE-0-2020-27611)
Vulnerability from cvelistv5
Published
2020-10-21 14:08
Modified
2024-08-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint.
References
| ▼ | URL | Tags |
|---|---|---|
| https://docs.bigbluebutton.org/admin/privacy.html | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/commit/d0bc77c3dbd858295004f15d7a57ec35e6b203d6 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:45.516Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.bigbluebutton.org/admin/privacy.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/d0bc77c3dbd858295004f15d7a57ec35e6b203d6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-19T21:17:14",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.bigbluebutton.org/admin/privacy.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/d0bc77c3dbd858295004f15d7a57ec35e6b203d6"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27611",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://docs.bigbluebutton.org/admin/privacy.html",
"refsource": "MISC",
"url": "https://docs.bigbluebutton.org/admin/privacy.html"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/d0bc77c3dbd858295004f15d7a57ec35e6b203d6",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/d0bc77c3dbd858295004f15d7a57ec35e6b203d6"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27611",
"datePublished": "2020-10-21T14:08:35",
"dateReserved": "2020-10-21T00:00:00",
"dateUpdated": "2024-08-04T16:18:45.516Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-42804 (GCVE-0-2023-42804)
Vulnerability from cvelistv5
Published
2023-10-30 18:14
Modified
2024-09-05 20:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84 | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/pull/15960 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: < 2.6.0-beta.1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:30:24.724Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/15960",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15960"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-42804",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T20:22:39.156360Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T20:23:14.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.0-beta.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-30T18:14:41.419Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/15960",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15960"
}
],
"source": {
"advisory": "GHSA-3qjg-229m-vq84",
"discovery": "UNKNOWN"
},
"title": "BigBlueButton Path Traversal \u2013 Reading Certain File Extensions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-42804",
"datePublished": "2023-10-30T18:14:41.419Z",
"dateReserved": "2023-09-14T16:13:33.306Z",
"dateUpdated": "2024-09-05T20:23:14.540Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-39302 (GCVE-0-2024-39302)
Vulnerability from cvelistv5
Published
2024-06-28 20:51
Modified
2024-08-02 04:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-269 - Improper Privilege Management
Summary
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` directory with the goal of privilege escalation, potentially exposing sensitive information on the server. This issue has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: < 2.6.18 Version: >= 2.7.0, < 2.7.8 Version: >= 2.8.0, < 3.0.0-alpha.7 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39302",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-01T20:23:04.572464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T21:23:02.505Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:19:20.698Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.18"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.7.8"
},
{
"status": "affected",
"version": "\u003e= 2.8.0, \u003c 3.0.0-alpha.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` directory with the goal of privilege escalation, potentially exposing sensitive information on the server. This issue has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-269",
"description": "CWE-269: Improper Privilege Management",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-28T20:51:59.312Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-5966-9hw8-q96q"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/04e916798b6b1f53f88513df3168f009b57b8f18"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/b9a46197ed924783f06a24381e923b3329b9c91a"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/f4502e4927609374f5356f824f5dac0101f9976a"
}
],
"source": {
"advisory": "GHSA-5966-9hw8-q96q",
"discovery": "UNKNOWN"
},
"title": "Some bbb-record-core files installed with wrong file permission"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-39302",
"datePublished": "2024-06-28T20:51:59.312Z",
"dateReserved": "2024-06-21T18:15:22.257Z",
"dateUpdated": "2024-08-02T04:19:20.698Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-28954 (GCVE-0-2020-28954)
Vulnerability from cvelistv5
Published
2020-11-19 21:14
Modified
2024-08-04 16:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:48:01.578Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/e59bcd0c33a6a3203c011faa8823ba2cac1e4f37"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/issues/10818"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/5c911ddeec4493f40f42e2f137800ed4692004a4"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-19T21:14:53",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/e59bcd0c33a6a3203c011faa8823ba2cac1e4f37"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/issues/10818"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/5c911ddeec4493f40f42e2f137800ed4692004a4"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-28954",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/e59bcd0c33a6a3203c011faa8823ba2cac1e4f37",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/e59bcd0c33a6a3203c011faa8823ba2cac1e4f37"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/issues/10818",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/issues/10818"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/5c911ddeec4493f40f42e2f137800ed4692004a4",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/5c911ddeec4493f40f42e2f137800ed4692004a4"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-28954",
"datePublished": "2020-11-19T21:14:53",
"dateReserved": "2020-11-19T00:00:00",
"dateUpdated": "2024-08-04T16:48:01.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-27238 (GCVE-0-2022-27238)
Vulnerability from cvelistv5
Published
2022-06-24 15:15
Modified
2024-08-03 05:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.mgm-sp.com/en/cve-2022-27238-bigbluebutton-xss/ | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:25:32.237Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.mgm-sp.com/en/cve-2022-27238-bigbluebutton-xss/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-24T15:15:22",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.mgm-sp.com/en/cve-2022-27238-bigbluebutton-xss/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-27238",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mgm-sp.com/en/cve-2022-27238-bigbluebutton-xss/",
"refsource": "MISC",
"url": "https://www.mgm-sp.com/en/cve-2022-27238-bigbluebutton-xss/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-27238",
"datePublished": "2022-06-24T15:15:22",
"dateReserved": "2022-03-18T00:00:00",
"dateUpdated": "2024-08-03T05:25:32.237Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12443 (GCVE-0-2020-12443)
Vulnerability from cvelistv5
Published
2020-04-29 01:48
Modified
2024-08-04 11:56
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to bigbluebutton.properties. NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/mclab-hbrs/BBB-POC | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/pull/9259/commits/b21ca8355a57286a1e6df96984b3a4c57679a463 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:56:52.060Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/mclab-hbrs/BBB-POC"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/9259/commits/b21ca8355a57286a1e6df96984b3a4c57679a463"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to bigbluebutton.properties. NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-04-29T01:48:39",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/mclab-hbrs/BBB-POC"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/9259/commits/b21ca8355a57286a1e6df96984b3a4c57679a463"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12443",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to bigbluebutton.properties. NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/mclab-hbrs/BBB-POC",
"refsource": "MISC",
"url": "https://github.com/mclab-hbrs/BBB-POC"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/9259/commits/b21ca8355a57286a1e6df96984b3a4c57679a463",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/9259/commits/b21ca8355a57286a1e6df96984b3a4c57679a463"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12443",
"datePublished": "2020-04-29T01:48:39",
"dateReserved": "2020-04-29T00:00:00",
"dateUpdated": "2024-08-04T11:56:52.060Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27601 (GCVE-0-2020-27601)
Vulnerability from cvelistv5
Published
2020-10-21 14:09
Modified
2024-08-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In BigBlueButton before 2.2.7, lockSettingsProps.disablePrivateChat does not apply to already opened chats. This occurs in bigbluebutton-html5/imports/ui/components/chat/service.js.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/commit/7dcdfb191373684bafa7b11cdd0128c9869040a1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:44.816Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/7dcdfb191373684bafa7b11cdd0128c9869040a1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In BigBlueButton before 2.2.7, lockSettingsProps.disablePrivateChat does not apply to already opened chats. This occurs in bigbluebutton-html5/imports/ui/components/chat/service.js."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-29T16:38:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/7dcdfb191373684bafa7b11cdd0128c9869040a1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27601",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In BigBlueButton before 2.2.7, lockSettingsProps.disablePrivateChat does not apply to already opened chats. This occurs in bigbluebutton-html5/imports/ui/components/chat/service.js."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/7dcdfb191373684bafa7b11cdd0128c9869040a1",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/7dcdfb191373684bafa7b11cdd0128c9869040a1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27601",
"datePublished": "2020-10-21T14:09:49",
"dateReserved": "2020-10-21T00:00:00",
"dateUpdated": "2024-08-04T16:18:44.816Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31064 (GCVE-0-2022-31064)
Vulnerability from cvelistv5
Published
2022-06-27 19:50
Modified
2025-04-22 17:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/pull/15090 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pf5-hr87 | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/pull/15067 | x_refsource_MISC | |
| https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/ | x_refsource_MISC | |
| http://seclists.org/fulldisclosure/2022/Jun/52 | mailing-list, x_refsource_FULLDISC | |
| http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-Scripting.html | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: < 2.4.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.339Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15090"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pf5-hr87"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15067"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/"
},
{
"name": "20220630 BigBlueButton - Stored XSS in username (CVE-2022-31064)",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2022/Jun/52"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-Scripting.html"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31064",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-22T15:45:59.501520Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-22T17:53:58.466Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim\u0027s client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-01T16:06:13.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15090"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pf5-hr87"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15067"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/"
},
{
"name": "20220630 BigBlueButton - Stored XSS in username (CVE-2022-31064)",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2022/Jun/52"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-Scripting.html"
}
],
"source": {
"advisory": "GHSA-hwv2-5pf5-hr87",
"discovery": "UNKNOWN"
},
"title": "Cross site scripting in username that will trigger by sending chat",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31064",
"STATE": "PUBLIC",
"TITLE": "Cross site scripting in username that will trigger by sending chat"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "bigbluebutton",
"version": {
"version_data": [
{
"version_value": "\u003c 2.4.8"
}
]
}
}
]
},
"vendor_name": "bigbluebutton"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim\u0027s client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/15090",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15090"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pf5-hr87",
"refsource": "CONFIRM",
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pf5-hr87"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/15067",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15067"
},
{
"name": "https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/",
"refsource": "MISC",
"url": "https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/"
},
{
"name": "20220630 BigBlueButton - Stored XSS in username (CVE-2022-31064)",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2022/Jun/52"
},
{
"name": "http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-Scripting.html"
}
]
},
"source": {
"advisory": "GHSA-hwv2-5pf5-hr87",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31064",
"datePublished": "2022-06-27T19:50:14.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-22T17:53:58.466Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27607 (GCVE-0-2020-27607)
Vulnerability from cvelistv5
Published
2020-10-21 14:08
Modified
2024-08-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or transmit it to one or more meeting participants or other third parties.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:44.440Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or transmit it to one or more meeting participants or other third parties."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-21T18:20:30",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27607",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or transmit it to one or more meeting participants or other third parties."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html",
"refsource": "MISC",
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27607",
"datePublished": "2020-10-21T14:08:55",
"dateReserved": "2020-10-21T00:00:00",
"dateUpdated": "2024-08-04T16:18:44.440Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41961 (GCVE-0-2022-41961)
Vulnerability from cvelistv5
Published
2022-12-16 12:24
Modified
2025-04-17 17:24
Severity ?
VLAI Severity ?
EPSS score ?
Summary
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users from the same extId. This issue has been fixed by improving permissions such that banning a user removes all users related to their extId, including registered users that have not joined the meeting. This issue is patched in versions 2.4-rc-6 and 2.5-alpha-1. There are no workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wxjp-h88g-7fqg | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: < v2.4-rc-6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:38.669Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wxjp-h88g-7fqg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wxjp-h88g-7fqg"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41961",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T17:24:38.372018Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T17:24:47.412Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003c v2.4-rc-6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users from the same extId. This issue has been fixed by improving permissions such that banning a user removes all users related to their extId, including registered users that have not joined the meeting. This issue is patched in versions 2.4-rc-6 and 2.5-alpha-1. There are no workarounds. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-16T12:24:43.465Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wxjp-h88g-7fqg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wxjp-h88g-7fqg"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1"
}
],
"source": {
"advisory": "GHSA-wxjp-h88g-7fqg",
"discovery": "UNKNOWN"
},
"title": "BigBlueButton subject to Ineffective user bans"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-41961",
"datePublished": "2022-12-16T12:24:43.465Z",
"dateReserved": "2022-09-30T16:38:28.948Z",
"dateUpdated": "2025-04-17T17:24:47.412Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31065 (GCVE-0-2022-31065)
Vulnerability from cvelistv5
Published
2022-06-27 19:45
Modified
2025-04-23 18:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8m2p-7qv3-qff7 | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/pull/15087 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/pull/15090 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: < 2.4.8 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:03:40.289Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8m2p-7qv3-qff7"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15087"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15090"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-31065",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:04:35.665485Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:07:44.554Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim\u0027s client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-27T19:45:21.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8m2p-7qv3-qff7"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15087"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15090"
}
],
"source": {
"advisory": "GHSA-8m2p-7qv3-qff7",
"discovery": "UNKNOWN"
},
"title": "Cross site scripting vulnerability for private chat in bigbluebutton",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-31065",
"STATE": "PUBLIC",
"TITLE": "Cross site scripting vulnerability for private chat in bigbluebutton"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "bigbluebutton",
"version": {
"version_data": [
{
"version_value": "\u003c 2.4.8"
}
]
}
}
]
},
"vendor_name": "bigbluebutton"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim\u0027s client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8m2p-7qv3-qff7",
"refsource": "CONFIRM",
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8m2p-7qv3-qff7"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/15087",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15087"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/15090",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15090"
}
]
},
"source": {
"advisory": "GHSA-8m2p-7qv3-qff7",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-31065",
"datePublished": "2022-06-27T19:45:21.000Z",
"dateReserved": "2022-05-18T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:07:44.554Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-28953 (GCVE-0-2020-28953)
Vulnerability from cvelistv5
Published
2020-11-19 21:15
Modified
2024-08-04 16:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
In BigBlueButton before 2.2.29, a user can vote more than once in a single poll.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/commit/d2cb02b3bd670265c6b1ba003f87fc261e0ac3e1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:48:00.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/d2cb02b3bd670265c6b1ba003f87fc261e0ac3e1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In BigBlueButton before 2.2.29, a user can vote more than once in a single poll."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-19T21:15:05",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/d2cb02b3bd670265c6b1ba003f87fc261e0ac3e1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-28953",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In BigBlueButton before 2.2.29, a user can vote more than once in a single poll."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/d2cb02b3bd670265c6b1ba003f87fc261e0ac3e1",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/d2cb02b3bd670265c6b1ba003f87fc261e0ac3e1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-28953",
"datePublished": "2020-11-19T21:15:05",
"dateReserved": "2020-11-19T00:00:00",
"dateUpdated": "2024-08-04T16:48:00.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29232 (GCVE-0-2022-29232)
Vulnerability from cvelistv5
Published
2022-06-01 22:25
Modified
2025-04-23 18:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
BigBlueButton is an open source web conferencing system. Starting with version 2.2 and prior to versions 2.3.9 and 2.4-beta-1, an attacker can circumvent access controls to obtain the content of public chat messages from different meetings on the server. The attacker must be a participant in a meeting on the server. BigBlueButton versions 2.3.9 and 2.4-beta-1 contain a patch for this issue. There are currently no known workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3fqh-p4qr-vfm9 | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/pull/12861 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.9 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-beta-1 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: >= 2.2, < 2.3.9 Version: >= 2.4-alpha-1, < 2.4-beta-1 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:54.255Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3fqh-p4qr-vfm9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/12861"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-beta-1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-29232",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T14:06:23.009997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T18:20:24.731Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.2, \u003c 2.3.9"
},
{
"status": "affected",
"version": "\u003e= 2.4-alpha-1, \u003c 2.4-beta-1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Starting with version 2.2 and prior to versions 2.3.9 and 2.4-beta-1, an attacker can circumvent access controls to obtain the content of public chat messages from different meetings on the server. The attacker must be a participant in a meeting on the server. BigBlueButton versions 2.3.9 and 2.4-beta-1 contain a patch for this issue. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-01T22:25:11.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3fqh-p4qr-vfm9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/12861"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-beta-1"
}
],
"source": {
"advisory": "GHSA-3fqh-p4qr-vfm9",
"discovery": "UNKNOWN"
},
"title": "Exposure of messages in BigBlueButton public chats",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29232",
"STATE": "PUBLIC",
"TITLE": "Exposure of messages in BigBlueButton public chats"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "bigbluebutton",
"version": {
"version_data": [
{
"version_value": "\u003e= 2.2, \u003c 2.3.9"
},
{
"version_value": "\u003e= 2.4-alpha-1, \u003c 2.4-beta-1"
}
]
}
}
]
},
"vendor_name": "bigbluebutton"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BigBlueButton is an open source web conferencing system. Starting with version 2.2 and prior to versions 2.3.9 and 2.4-beta-1, an attacker can circumvent access controls to obtain the content of public chat messages from different meetings on the server. The attacker must be a participant in a meeting on the server. BigBlueButton versions 2.3.9 and 2.4-beta-1 contain a patch for this issue. There are currently no known workarounds."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3fqh-p4qr-vfm9",
"refsource": "CONFIRM",
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3fqh-p4qr-vfm9"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/12861",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/12861"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.9",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.9"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-beta-1",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-beta-1"
}
]
},
"source": {
"advisory": "GHSA-3fqh-p4qr-vfm9",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29232",
"datePublished": "2022-06-01T22:25:12.000Z",
"dateReserved": "2022-04-13T00:00:00.000Z",
"dateUpdated": "2025-04-23T18:20:24.731Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-41962 (GCVE-0-2022-41962)
Vulnerability from cvelistv5
Published
2022-12-16 12:45
Modified
2025-04-17 15:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-863 - Incorrect Authorization
Summary
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6, and 2.5-alpha-1 contain Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji status for other users. Moderators should only be able to set none as the status of other users. This issue is patched in 2.4-rc-6 and 2.5-alpha-1There are no workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-88qf-33qm-9mm7 | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: <2.4-rc-6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T12:56:38.640Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-88qf-33qm-9mm7",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-88qf-33qm-9mm7"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-41962",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T15:37:43.931142Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T15:37:50.823Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003c2.4-rc-6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6, and 2.5-alpha-1 contain Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji status for other users. Moderators should only be able to set none as the status of other users. This issue is patched in 2.4-rc-6 and 2.5-alpha-1There are no workarounds. "
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-16T12:45:06.499Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-88qf-33qm-9mm7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-88qf-33qm-9mm7"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1"
}
],
"source": {
"advisory": "GHSA-88qf-33qm-9mm7",
"discovery": "UNKNOWN"
},
"title": "BigBlueButton contains Incorrect Authorization for setting emoji status"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-41962",
"datePublished": "2022-12-16T12:45:06.499Z",
"dateReserved": "2022-09-30T16:38:28.948Z",
"dateUpdated": "2025-04-17T15:37:50.823Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-55200 (GCVE-0-2025-55200)
Vulnerability from cvelistv5
Published
2025-10-09 18:51
Modified
2025-10-09 19:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.13, the "Shared Notes" feature contains a Stored Cross-Site Scripting (XSS) vulnerability with the input location being the "Username" field and the output location on the "Shared Notes" page, when a user with a malicious username is editing content. This vulnerability allows a low-privileged user to execute arbitrary JavaScript in the context of higher-privileged users (e.g., Admins) who open the Shared Notes page. Version 3.0.13 fixes the issue.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-9jv9-cjrm-grj2 | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bbb-pads/pull/67 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/pull/23693 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bbb-pads/releases/tag/v1.5.4 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: < 3.0.13 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-55200",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-09T19:08:12.867816Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T19:08:17.415Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.13, the \"Shared Notes\" feature contains a Stored Cross-Site Scripting (XSS) vulnerability with the input location being the \"Username\" field and the output location on the \"Shared Notes\" page, when a user with a malicious username is editing content. This vulnerability allows a low-privileged user to execute arbitrary JavaScript in the context of higher-privileged users (e.g., Admins) who open the Shared Notes page. Version 3.0.13 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T18:51:57.884Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-9jv9-cjrm-grj2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-9jv9-cjrm-grj2"
},
{
"name": "https://github.com/bigbluebutton/bbb-pads/pull/67",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bbb-pads/pull/67"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/23693",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/23693"
},
{
"name": "https://github.com/bigbluebutton/bbb-pads/releases/tag/v1.5.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bbb-pads/releases/tag/v1.5.4"
}
],
"source": {
"advisory": "GHSA-9jv9-cjrm-grj2",
"discovery": "UNKNOWN"
},
"title": "BigBlueButton vulnerable to Stored XSS via name of user at Shared Notes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-55200",
"datePublished": "2025-10-09T18:51:57.884Z",
"dateReserved": "2025-08-08T21:55:07.965Z",
"dateUpdated": "2025-10-09T19:08:17.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61602 (GCVE-0-2025-61602)
Vulnerability from cvelistv5
Published
2025-10-09 20:40
Modified
2025-10-10 14:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-703 - Improper Check or Handling of Exceptional Conditions
Summary
BigBlueButton is an open-source virtual classroom. A denial-of-service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed `reactionEmojiId` in the GraphQL mutation `chatSendMessageReaction`. Version 3.0.13 contains a patch. No known workarounds are available.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-45j2-m26c-3pcm | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/pull/23651 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: < 3.0.13 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61602",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-10T14:30:47.957269Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T14:30:50.944Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-45j2-m26c-3pcm"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003c 3.0.13"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open-source virtual classroom. A denial-of-service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed `reactionEmojiId` in the GraphQL mutation `chatSendMessageReaction`. Version 3.0.13 contains a patch. No known workarounds are available."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-703",
"description": "CWE-703: Improper Check or Handling of Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-09T20:40:04.658Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-45j2-m26c-3pcm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-45j2-m26c-3pcm"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/23651",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/23651"
}
],
"source": {
"advisory": "GHSA-45j2-m26c-3pcm",
"discovery": "UNKNOWN"
},
"title": "BigBlueButton vulnerable to Chat DoS via invalid reactionEmojiId"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61602",
"datePublished": "2025-10-09T20:40:04.658Z",
"dateReserved": "2025-09-26T16:25:25.151Z",
"dateUpdated": "2025-10-10T14:30:50.944Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-38518 (GCVE-0-2024-38518)
Vulnerability from cvelistv5
Published
2024-06-28 20:25
Modified
2024-08-02 04:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be "role=moderator", allowing an attacker to join a meeting as moderator using a join link that was originally created for viewer access. This vulnerability has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: < 2.6.18 Version: >= 2.7.0, < 2.7.8 Version: >= 2.8.0, < 3.0.0-alpha.7 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-38518",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-02T19:57:25.410885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-03T15:44:56.030Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T04:12:25.127Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4m48-49h7-f3c4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4m48-49h7-f3c4"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/20279",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/20279"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/a9d436accdcd26ea66bed9f391488ac128cd62d1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/a9d436accdcd26ea66bed9f391488ac128cd62d1"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/ea6e9461dceae8fa593543d8c686f77bb8677e72",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/ea6e9461dceae8fa593543d8c686f77bb8677e72"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.18"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.7.8"
},
{
"status": "affected",
"version": "\u003e= 2.8.0, \u003c 3.0.0-alpha.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be \"role=moderator\", allowing an attacker to join a meeting as moderator using a join link that was originally created for viewer access. This vulnerability has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-28T20:25:40.743Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4m48-49h7-f3c4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4m48-49h7-f3c4"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/20279",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/20279"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/a9d436accdcd26ea66bed9f391488ac128cd62d1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/a9d436accdcd26ea66bed9f391488ac128cd62d1"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/commit/ea6e9461dceae8fa593543d8c686f77bb8677e72",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/ea6e9461dceae8fa593543d8c686f77bb8677e72"
}
],
"source": {
"advisory": "GHSA-4m48-49h7-f3c4",
"discovery": "UNKNOWN"
},
"title": "bbb-web API additional parameters considered"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-38518",
"datePublished": "2024-06-28T20:25:40.743Z",
"dateReserved": "2024-06-18T16:37:02.727Z",
"dateUpdated": "2024-08-02T04:12:25.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27609 (GCVE-0-2020-27609)
Vulnerability from cvelistv5
Published
2020-10-21 14:08
Modified
2024-08-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | x_refsource_MISC | |
| https://docs.bigbluebutton.org/admin/privacy.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:44.879Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://docs.bigbluebutton.org/admin/privacy.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-21T18:21:36",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.bigbluebutton.org/admin/privacy.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27609",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html",
"refsource": "MISC",
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"name": "https://docs.bigbluebutton.org/admin/privacy.html",
"refsource": "MISC",
"url": "https://docs.bigbluebutton.org/admin/privacy.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27609",
"datePublished": "2020-10-21T14:08:45",
"dateReserved": "2020-10-21T00:00:00",
"dateUpdated": "2024-08-04T16:18:44.879Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-29042 (GCVE-0-2020-29042)
Vulnerability from cvelistv5
Published
2020-11-26 17:51
Modified
2024-08-04 16:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/releases | x_refsource_MISC | |
| https://cxsecurity.com/issue/WLB-2020110210 | x_refsource_MISC | |
| http://packetstormsecurity.com/files/160238/BigBlueButton-2.2.29-Brute-Force.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:48:01.502Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cxsecurity.com/issue/WLB-2020110210"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/160238/BigBlueButton-2.2.29-Brute-Force.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-11-28T18:06:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cxsecurity.com/issue/WLB-2020110210"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/160238/BigBlueButton-2.2.29-Brute-Force.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-29042",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/releases"
},
{
"name": "https://cxsecurity.com/issue/WLB-2020110210",
"refsource": "MISC",
"url": "https://cxsecurity.com/issue/WLB-2020110210"
},
{
"name": "http://packetstormsecurity.com/files/160238/BigBlueButton-2.2.29-Brute-Force.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/160238/BigBlueButton-2.2.29-Brute-Force.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-29042",
"datePublished": "2020-11-26T17:51:00",
"dateReserved": "2020-11-24T00:00:00",
"dateUpdated": "2024-08-04T16:48:01.502Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27605 (GCVE-0-2020-27605)
Vulnerability from cvelistv5
Published
2020-10-21 14:09
Modified
2024-08-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:45.460Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a \"schwache Sandbox.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-21T18:19:09",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27605",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a \"schwache Sandbox.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html",
"refsource": "MISC",
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27605",
"datePublished": "2020-10-21T14:09:03",
"dateReserved": "2020-10-21T00:00:00",
"dateUpdated": "2024-08-04T16:18:45.460Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23490 (GCVE-0-2022-23490)
Vulnerability from cvelistv5
Published
2022-12-16 21:02
Modified
2025-04-17 14:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
Summary
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.0 expose sensitive information to Unauthorized Actors. This issue affects meetings with polls, where the attacker is a meeting participant. Subscribing to the current-poll collection does not update the client UI, but does give the attacker access to the contents of the collection, which include the individual poll responses. This issue is patched in version 2.4.0. There are no workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4qgc-xhw5-6qfg | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: < 2.4.0 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:43:46.126Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4qgc-xhw5-6qfg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4qgc-xhw5-6qfg"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23490",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T14:34:50.857046Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T14:34:58.102Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4.0 expose sensitive information to Unauthorized Actors. This issue affects meetings with polls, where the attacker is a meeting participant. Subscribing to the current-poll collection does not update the client UI, but does give the attacker access to the contents of the collection, which include the individual poll responses. This issue is patched in version 2.4.0. There are no workarounds.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-12-16T21:02:30.109Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4qgc-xhw5-6qfg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4qgc-xhw5-6qfg"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0"
}
],
"source": {
"advisory": "GHSA-4qgc-xhw5-6qfg",
"discovery": "UNKNOWN"
},
"title": "Improper access control to polling votes"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23490",
"datePublished": "2022-12-16T21:02:30.109Z",
"dateReserved": "2022-01-19T21:23:53.762Z",
"dateUpdated": "2025-04-17T14:34:58.102Z",
"requesterUserId": "c184a3d9-dc98-4c48-a45b-d2d88cf0ac74",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-27610 (GCVE-0-2020-27610)
Vulnerability from cvelistv5
Published
2020-10-21 14:07
Modified
2024-08-04 16:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access.
References
| ▼ | URL | Tags |
|---|---|---|
| https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:18:45.515Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-10-21T18:22:07",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-27610",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html",
"refsource": "MISC",
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-27610",
"datePublished": "2020-10-21T14:07:58",
"dateReserved": "2020-10-21T00:00:00",
"dateUpdated": "2024-08-04T16:18:45.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-12112 (GCVE-0-2020-12112)
Vulnerability from cvelistv5
Published
2020-04-23 17:53
Modified
2024-08-04 11:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion.
References
| ▼ | URL | Tags |
|---|---|---|
| https://twitter.com/thibeault_chenu/status/1249976515917422593 | x_refsource_MISC | |
| https://twitter.com/bigbluebutton/status/1252706369486180353 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.4...v2.2.5 | x_refsource_MISC | |
| https://cwe.mitre.org/data/definitions/23.html | x_refsource_MISC | |
| https://github.com/tchenu/CVE-2020-12112 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T11:48:58.324Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/thibeault_chenu/status/1249976515917422593"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://twitter.com/bigbluebutton/status/1252706369486180353"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.4...v2.2.5"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cwe.mitre.org/data/definitions/23.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/tchenu/CVE-2020-12112"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-10T21:23:50",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/thibeault_chenu/status/1249976515917422593"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://twitter.com/bigbluebutton/status/1252706369486180353"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.4...v2.2.5"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cwe.mitre.org/data/definitions/23.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/tchenu/CVE-2020-12112"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-12112",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://twitter.com/thibeault_chenu/status/1249976515917422593",
"refsource": "MISC",
"url": "https://twitter.com/thibeault_chenu/status/1249976515917422593"
},
{
"name": "https://twitter.com/bigbluebutton/status/1252706369486180353",
"refsource": "MISC",
"url": "https://twitter.com/bigbluebutton/status/1252706369486180353"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.4...v2.2.5",
"refsource": "MISC",
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.4...v2.2.5"
},
{
"name": "https://cwe.mitre.org/data/definitions/23.html",
"refsource": "MISC",
"url": "https://cwe.mitre.org/data/definitions/23.html"
},
{
"name": "https://github.com/tchenu/CVE-2020-12112",
"refsource": "MISC",
"url": "https://github.com/tchenu/CVE-2020-12112"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-12112",
"datePublished": "2020-04-23T17:53:59",
"dateReserved": "2020-04-23T00:00:00",
"dateUpdated": "2024-08-04T11:48:58.324Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-29235 (GCVE-0-2022-29235)
Vulnerability from cvelistv5
Published
2022-06-01 23:25
Modified
2024-08-03 06:17
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Summary
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the current timestamp and play/pause. The problem has been patched in versions 2.3.18 and 2.4-rc-6 by modifying the stream to send the data only for users in the meeting. There are currently no known workarounds.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6 | x_refsource_CONFIRM | |
| https://github.com/bigbluebutton/bigbluebutton/pull/13788 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/pull/14265 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18 | x_refsource_MISC | |
| https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 | x_refsource_MISC |
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| bigbluebutton | bigbluebutton |
Version: >= 2.2, < 2.3.18 Version: >= 2.4-alpha-1, < 2.4-rc-6 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T06:17:54.233Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/13788",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/13788"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/14265",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "bigbluebutton",
"vendor": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.2, \u003c 2.3.18"
},
{
"status": "affected",
"version": "\u003e= 2.4-alpha-1, \u003c 2.4-rc-6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the current timestamp and play/pause. The problem has been patched in versions 2.3.18 and 2.4-rc-6 by modifying the stream to send the data only for users in the meeting. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-08T18:44:57.111Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/13788",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/13788"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/pull/14265",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"
},
{
"name": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
}
],
"source": {
"advisory": "GHSA-x82p-j22f-v4q6",
"discovery": "UNKNOWN"
},
"title": "Limited data exposure for shared external videos in BigBlueButton"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-29235",
"datePublished": "2022-06-01T23:25:18",
"dateReserved": "2022-04-13T00:00:00",
"dateUpdated": "2024-08-03T06:17:54.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2020-10-21 15:15
Modified
2024-11-21 05:21
Severity ?
Summary
BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://docs.bigbluebutton.org/admin/privacy.html | Not Applicable | |
| cve@mitre.org | https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.bigbluebutton.org/admin/privacy.html | Not Applicable | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DFDA0178-046A-4806-9AA6-5A7DF87FB382",
"versionEndIncluding": "2.2.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant."
},
{
"lang": "es",
"value": "BigBlueButton versiones hasta 2.2.8, graba una videoconferencia a pesar de la desactivaci\u00f3n de la grabaci\u00f3n de video en la interfaz de usuario.\u0026#xa0;Esto puede resultar en un almacenamiento de datos m\u00e1s all\u00e1 de lo autorizado para un tema o participante espec\u00edfico de la reuni\u00f3n"
}
],
"id": "CVE-2020-27609",
"lastModified": "2024-11-21T05:21:27.470",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-21T15:15:27.313",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "https://docs.bigbluebutton.org/admin/privacy.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://docs.bigbluebutton.org/admin/privacy.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-21 15:15
Modified
2024-11-21 05:21
Severity ?
Summary
BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "47E99B5C-C512-4F2E-BB9D-429C8CC3CAE3",
"versionEndExcluding": "2.2.8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting."
},
{
"lang": "es",
"value": "BigBlueButton versiones anteriores a 2.3, no implementa el sandboxing de LibreOffice.\u0026#xa0;Esto podr\u00eda facilitar a los usuarios autenticados remotos leer el secreto compartido de la API en el archivo bigbluebutton.properties.\u0026#xa0;Con el secreto compartido de la API, un atacante puede (por ejemplo) usar api/join para unirse a una reuni\u00f3n arbitraria independientemente de su configuraci\u00f3n guestPolicy"
}
],
"id": "CVE-2020-27604",
"lastModified": "2024-11-21T05:21:26.540",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-21T15:15:26.967",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://docs.bigbluebutton.org/dev/api.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://docs.bigbluebutton.org/dev/api.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-21 13:15
Modified
2024-11-21 05:18
Severity ?
Summary
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C3387D13-B022-40CE-8B0F-74CFD8DAD88E",
"versionEndExcluding": "2.2.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field."
},
{
"lang": "es",
"value": "BigBlueButton versiones anteriores a 2.2.7, permite a usuarios autenticados remoto leer archivos locales y llevar a cabo ataques SSRF por medio de un documento Office cargado que tiene una URL dise\u00f1ada en un campo xlink ODF"
}
],
"id": "CVE-2020-25820",
"lastModified": "2024-11-21T05:18:50.273",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-21T13:15:12.960",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/159667/BigBlueButton-2.2.25-File-Disclosure-Server-Side-Request-Forgery.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/71fe1eac1e5bd73a2cd44bd79c001086b250e435"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.26...v2.2.27"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.redteam-pentesting.de/advisories/rt-sa-2020-005"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/159667/BigBlueButton-2.2.25-File-Disclosure-Server-Side-Request-Forgery.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/71fe1eac1e5bd73a2cd44bd79c001086b250e435"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.26...v2.2.27"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.redteam-pentesting.de/advisories/rt-sa-2020-005"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-29 03:15
Modified
2024-11-21 05:21
Severity ?
Summary
BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/bigbluebutton/bigbluebutton/commit/4bfd924c64da2681f4c037026021f47eb189d717 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/commit/4bfd924c64da2681f4c037026021f47eb189d717 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7 | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "65958351-4719-44DC-8032-96E259A03862",
"versionEndExcluding": "2.2.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken."
},
{
"lang": "es",
"value": "BigBlueButton versiones anteriores a 2.2.7, no presenta un mecanismo de protecci\u00f3n para la inyecci\u00f3n de separadores en meetingId, userId y authToken"
}
],
"id": "CVE-2020-27602",
"lastModified": "2024-11-21T05:21:26.163",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-29T03:15:14.073",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/4bfd924c64da2681f4c037026021f47eb189d717"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/4bfd924c64da2681f4c037026021f47eb189d717"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-26 18:15
Modified
2024-11-21 05:23
Severity ?
Summary
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/160238/BigBlueButton-2.2.29-Brute-Force.html | Third Party Advisory | |
| cve@mitre.org | https://cxsecurity.com/issue/WLB-2020110210 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/bigbluebutton/bigbluebutton/releases | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/160238/BigBlueButton-2.2.29-Brute-Force.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cxsecurity.com/issue/WLB-2020110210 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/releases | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "02004AC1-A2BB-4587-B803-24A6B6D4751B",
"versionEndIncluding": "2.2.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en BigBlueButton versiones hasta 2.2.29.\u0026#xa0;Un ataque de fuerza bruta puede ocurrir porque un n\u00famero ilimitado de c\u00f3digos puede ser ingresados para una reuni\u00f3n que est\u00e1 protegida por un c\u00f3digo de acceso"
}
],
"id": "CVE-2020-29042",
"lastModified": "2024-11-21T05:23:34.777",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-26T18:15:10.493",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/160238/BigBlueButton-2.2.29-Brute-Force.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cxsecurity.com/issue/WLB-2020110210"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/160238/BigBlueButton-2.2.29-Brute-Force.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cxsecurity.com/issue/WLB-2020110210"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-307"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-19 22:15
Modified
2024-11-21 05:23
Severity ?
Summary
web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5FA0DCDA-3F90-4D22-A5A1-E6CD7861C2B8",
"versionEndExcluding": "2.2.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name."
},
{
"lang": "es",
"value": "web/controllers/ApiController.groovy en BigBlueButton versiones anteriores a 2.2.29 carece de cierta desinfecci\u00f3n de par\u00e1metros, como se demuestra al aceptar caracteres de control en un nombre de usuario"
}
],
"id": "CVE-2020-28954",
"lastModified": "2024-11-21T05:23:22.510",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-19T22:15:13.757",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/5c911ddeec4493f40f42e2f137800ed4692004a4"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/e59bcd0c33a6a3203c011faa8823ba2cac1e4f37"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/issues/10818"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/5c911ddeec4493f40f42e2f137800ed4692004a4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/e59bcd0c33a6a3203c011faa8823ba2cac1e4f37"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/issues/10818"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-116"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-06-26 20:15
Modified
2024-11-21 08:05
Severity ?
4.8 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Summary
BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * | |
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3B7CCA1A-4A56-43B9-A9AA-BB999FB98A72",
"versionEndExcluding": "2.5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "55138784-E1EC-452E-8534-460BBB2A0C7C",
"versionEndExcluding": "2.6.9",
"versionStartIncluding": "2.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton."
}
],
"id": "CVE-2023-33176",
"lastModified": "2024-11-21T08:05:03.173",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 2.5,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-06-26T20:15:10.063",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18045"
},
{
"source": "security-advisories@github.com",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18052"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/43394dade595d0707384e4878357901537352415"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/b18aff32e65a47f1eb2c800e86dcfc7a8fb05e71"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18045"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18052"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-02 00:15
Modified
2024-11-21 06:58
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "60814A0D-57C0-4407-B7DD-26A9D5C3DBB1",
"versionEndExcluding": "2.3.18",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "C136F53E-2EC5-433F-B354-88DA37689142",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "626A8774-BC38-4F11-A16B-918EC8740C82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta1:*:*:*:*:*:*",
"matchCriteriaId": "33735D00-C2AC-4FDA-B47B-B15D099F26F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta2:*:*:*:*:*:*",
"matchCriteriaId": "98890F0C-2E60-4696-A6E5-F44FB2A1A5BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta3:*:*:*:*:*:*",
"matchCriteriaId": "0C916210-11BF-4F4C-AE3E-29D27135F3F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta4:*:*:*:*:*:*",
"matchCriteriaId": "ABB37B70-021E-48F6-B3D2-0790A4729A3C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds."
},
{
"lang": "es",
"value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. En BigBlueButton a partir de la versi\u00f3n 2.2 pero anteriores a 2.3.18 y 2.4-rc-1, un atacante puede evitar los controles de acceso para conseguir acceso a todas las salas de reuni\u00f3n en las que se encuentre. Las comprobaciones de permisos son basadas en el conocimiento de los identificadores internos en lugar de en la verificaci\u00f3n del rol del usuario. Las versiones 2.3.18 y 2.4-rc-1 contienen un parche para este problema. Actualmente no se presentan mitigaciones conocidas"
}
],
"id": "CVE-2022-29233",
"lastModified": "2024-11-21T06:58:46.350",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-02T00:15:08.203",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/13117"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3mr9-p9gw-cf33"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/13117"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3mr9-p9gw-cf33"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-12-16 18:15
Modified
2024-11-21 07:24
Severity ?
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
5.7 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
Summary
BigBlueButton is an open source web conferencing system. This vulnerability only affects release candidates of BigBlueButton 2.4. The attacker can start a subscription for poll results before starting an anonymous poll, and use this subscription to see individual responses in the anonymous poll. The attacker had to be a meeting presenter. This issue is patched in version 2.4.0. There are no workarounds.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-fgmj-rx7j-fqr4 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-fgmj-rx7j-fqr4 | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "C136F53E-2EC5-433F-B354-88DA37689142",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "626A8774-BC38-4F11-A16B-918EC8740C82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta1:*:*:*:*:*:*",
"matchCriteriaId": "33735D00-C2AC-4FDA-B47B-B15D099F26F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta2:*:*:*:*:*:*",
"matchCriteriaId": "98890F0C-2E60-4696-A6E5-F44FB2A1A5BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta3:*:*:*:*:*:*",
"matchCriteriaId": "0C916210-11BF-4F4C-AE3E-29D27135F3F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta4:*:*:*:*:*:*",
"matchCriteriaId": "ABB37B70-021E-48F6-B3D2-0790A4729A3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "407E0358-75E5-41D9-A624-3C15D2145DDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc2:*:*:*:*:*:*",
"matchCriteriaId": "12259673-5B79-40E4-8B08-8CB3B9C1A5A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc3:*:*:*:*:*:*",
"matchCriteriaId": "EC135064-4919-4759-BC25-34C7868F6431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A0173198-BFAB-49E5-898E-173503C452C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc5:*:*:*:*:*:*",
"matchCriteriaId": "CCB8C413-ECD9-47BF-963C-B3A0F25A1BD8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc6:*:*:*:*:*:*",
"matchCriteriaId": "B8571BDD-2508-4C4F-864D-64BFBE7DC919",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc7:*:*:*:*:*:*",
"matchCriteriaId": "C210D3C3-6741-490D-966D-CE4D5F8A2C39",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. This vulnerability only affects release candidates of BigBlueButton 2.4. The attacker can start a subscription for poll results before starting an anonymous poll, and use this subscription to see individual responses in the anonymous poll. The attacker had to be a meeting presenter. This issue is patched in version 2.4.0. There are no workarounds."
},
{
"lang": "es",
"value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. Esta vulnerabilidad solo afecta a las versiones candidatas de BigBlueButton 2.4. El atacante puede iniciar una suscripci\u00f3n para obtener los resultados de la encuesta antes de iniciar una encuesta an\u00f3nima y utilizar esta suscripci\u00f3n para ver las respuestas individuales en la encuesta an\u00f3nima. El atacante deb\u00eda ser presentador de una reuni\u00f3n. Este problema se solucion\u00f3 en la versi\u00f3n 2.4.0. No hay workarounds."
}
],
"id": "CVE-2022-41964",
"lastModified": "2024-11-21T07:24:09.993",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-12-16T18:15:08.407",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-fgmj-rx7j-fqr4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-fgmj-rx7j-fqr4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-12-16 13:15
Modified
2024-11-21 07:24
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users from the same extId. This issue has been fixed by improving permissions such that banning a user removes all users related to their extId, including registered users that have not joined the meeting. This issue is patched in versions 2.4-rc-6 and 2.5-alpha-1. There are no workarounds.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wxjp-h88g-7fqg | Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wxjp-h88g-7fqg | Patch, Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "91AA496D-9C0A-4900-96D5-33E4180B74D4",
"versionEndExcluding": "2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "C136F53E-2EC5-433F-B354-88DA37689142",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "626A8774-BC38-4F11-A16B-918EC8740C82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta1:*:*:*:*:*:*",
"matchCriteriaId": "33735D00-C2AC-4FDA-B47B-B15D099F26F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta2:*:*:*:*:*:*",
"matchCriteriaId": "98890F0C-2E60-4696-A6E5-F44FB2A1A5BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta3:*:*:*:*:*:*",
"matchCriteriaId": "0C916210-11BF-4F4C-AE3E-29D27135F3F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta4:*:*:*:*:*:*",
"matchCriteriaId": "ABB37B70-021E-48F6-B3D2-0790A4729A3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "407E0358-75E5-41D9-A624-3C15D2145DDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc3:*:*:*:*:*:*",
"matchCriteriaId": "EC135064-4919-4759-BC25-34C7868F6431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A0173198-BFAB-49E5-898E-173503C452C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc5:*:*:*:*:*:*",
"matchCriteriaId": "CCB8C413-ECD9-47BF-963C-B3A0F25A1BD8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users from the same extId. This issue has been fixed by improving permissions such that banning a user removes all users related to their extId, including registered users that have not joined the meeting. This issue is patched in versions 2.4-rc-6 and 2.5-alpha-1. There are no workarounds. "
},
{
"lang": "es",
"value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. Las versiones anteriores a la 2.4-rc-6 est\u00e1n sujetas a prohibiciones de usuarios ineficaces. El atacante podr\u00eda registrar varios usuarios y unirse a la reuni\u00f3n con uno de ellos. Cuando ese usuario est\u00e1 prohibido, a\u00fan puede unirse a la reuni\u00f3n con los usuarios registrados restantes del mismo extId. Este problema se solucion\u00f3 mejorando los permisos, de modo que al prohibir a un usuario se eliminan todos los usuarios relacionados con su extId, incluidos los usuarios registrados que no se han unido a la reuni\u00f3n. Este problema est\u00e1 solucionado en las versiones 2.4-rc-6 y 2.5-alpha-1. No hay workarounds."
}
],
"id": "CVE-2022-41961",
"lastModified": "2024-11-21T07:24:09.590",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-12-16T13:15:08.920",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wxjp-h88g-7fqg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-wxjp-h88g-7fqg"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-345"
},
{
"lang": "en",
"value": "CWE-346"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-01-19 23:15
Modified
2024-11-21 06:36
Severity ?
Summary
Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security@huntr.dev | https://github.com/bigbluebutton/bigbluebutton/commit/62040bdcb3c2f993ba72ab89f4db2015e18d1706 | Patch, Third Party Advisory | |
| security@huntr.dev | https://huntr.dev/bounties/e67603e6-8497-4ab6-b93a-02c26407d443 | Exploit, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/commit/62040bdcb3c2f993ba72ab89f4db2015e18d1706 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://huntr.dev/bounties/e67603e6-8497-4ab6-b93a-02c26407d443 | Exploit, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDC57B52-53A4-4068-ADA9-092D1D43CE30",
"versionEndExcluding": "2.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo Cross-site Scripting (XSS) - Gen\u00e9rico en el repositorio de GitHub bigbluebutton/bigbluebutton versiones anteriores a 2.4.0"
}
],
"id": "CVE-2021-4143",
"lastModified": "2024-11-21T06:36:59.620",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 5.2,
"source": "security@huntr.dev",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-01-19T23:15:08.113",
"references": [
{
"source": "security@huntr.dev",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/62040bdcb3c2f993ba72ab89f4db2015e18d1706"
},
{
"source": "security@huntr.dev",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/e67603e6-8497-4ab6-b93a-02c26407d443"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/62040bdcb3c2f993ba72ab89f4db2015e18d1706"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://huntr.dev/bounties/e67603e6-8497-4ab6-b93a-02c26407d443"
}
],
"sourceIdentifier": "security@huntr.dev",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security@huntr.dev",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-02 00:15
Modified
2024-11-21 06:58
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "60814A0D-57C0-4407-B7DD-26A9D5C3DBB1",
"versionEndExcluding": "2.3.18",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "C136F53E-2EC5-433F-B354-88DA37689142",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "626A8774-BC38-4F11-A16B-918EC8740C82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta1:*:*:*:*:*:*",
"matchCriteriaId": "33735D00-C2AC-4FDA-B47B-B15D099F26F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta2:*:*:*:*:*:*",
"matchCriteriaId": "98890F0C-2E60-4696-A6E5-F44FB2A1A5BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta3:*:*:*:*:*:*",
"matchCriteriaId": "0C916210-11BF-4F4C-AE3E-29D27135F3F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta4:*:*:*:*:*:*",
"matchCriteriaId": "ABB37B70-021E-48F6-B3D2-0790A4729A3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "407E0358-75E5-41D9-A624-3C15D2145DDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc3:*:*:*:*:*:*",
"matchCriteriaId": "EC135064-4919-4759-BC25-34C7868F6431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A0173198-BFAB-49E5-898E-173503C452C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc5:*:*:*:*:*:*",
"matchCriteriaId": "CCB8C413-ECD9-47BF-963C-B3A0F25A1BD8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds."
},
{
"lang": "es",
"value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. A partir de la versi\u00f3n 2.2 y versiones hasta 2.3.18 y 2.4-rc-6, un atacante puede omitir las restricciones de acceso para dibujar en la pizarra. La comprobaci\u00f3n de permisos es omitida inadvertidamente en el servidor, debido a un periodo de gracia introducido previamente. El atacante debe ser un participante de la reuni\u00f3n. El problema ha sido parcheado en versiones 2.3.18 y 2.4-rc-6. Actualmente no son conocidas mitigaciones"
}
],
"id": "CVE-2022-29236",
"lastModified": "2024-11-21T06:58:46.737",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-02T00:15:08.483",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/13803"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-p93g-r9gm-9v6r"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/13803"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-p93g-r9gm-9v6r"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-12-16 22:15
Modified
2024-11-21 06:48
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Summary
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.0 expose sensitive information to Unauthorized Actors. This issue affects meetings with polls, where the attacker is a meeting participant. Subscribing to the current-poll collection does not update the client UI, but does give the attacker access to the contents of the collection, which include the individual poll responses. This issue is patched in version 2.4.0. There are no workarounds.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4qgc-xhw5-6qfg | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4qgc-xhw5-6qfg | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDC57B52-53A4-4068-ADA9-092D1D43CE30",
"versionEndExcluding": "2.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4.0 expose sensitive information to Unauthorized Actors. This issue affects meetings with polls, where the attacker is a meeting participant. Subscribing to the current-poll collection does not update the client UI, but does give the attacker access to the contents of the collection, which include the individual poll responses. This issue is patched in version 2.4.0. There are no workarounds.\n"
},
{
"lang": "es",
"value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. Las versiones anteriores a la 2.4.0 exponen informaci\u00f3n confidencial a actores no autorizados. Este problema afecta a las reuniones con encuestas, en las que el atacante es un participante de la reuni\u00f3n. La suscripci\u00f3n a la colecci\u00f3n de encuestas actual no actualiza la interfaz de usuario del cliente, pero le da al atacante acceso al contenido de la colecci\u00f3n, que incluye las respuestas de la encuesta individual. Este problema se solucion\u00f3 en la versi\u00f3n 2.4.0. No hay workarounds."
}
],
"id": "CVE-2022-23490",
"lastModified": "2024-11-21T06:48:40.130",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-12-16T22:15:08.743",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4qgc-xhw5-6qfg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4qgc-xhw5-6qfg"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-01 23:15
Modified
2024-11-21 06:58
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
BigBlueButton is an open source web conferencing system. Starting with version 2.2 and prior to versions 2.3.9 and 2.4-beta-1, an attacker can circumvent access controls to obtain the content of public chat messages from different meetings on the server. The attacker must be a participant in a meeting on the server. BigBlueButton versions 2.3.9 and 2.4-beta-1 contain a patch for this issue. There are currently no known workarounds.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94F7AE6E-379C-469A-A24A-AFD5E657A3A5",
"versionEndExcluding": "2.3.9",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "C136F53E-2EC5-433F-B354-88DA37689142",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "626A8774-BC38-4F11-A16B-918EC8740C82",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Starting with version 2.2 and prior to versions 2.3.9 and 2.4-beta-1, an attacker can circumvent access controls to obtain the content of public chat messages from different meetings on the server. The attacker must be a participant in a meeting on the server. BigBlueButton versions 2.3.9 and 2.4-beta-1 contain a patch for this issue. There are currently no known workarounds."
},
{
"lang": "es",
"value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. A partir de la versi\u00f3n 2.2 y anteriores a 2.3.9 y 2.4-beta-1, un atacante puede evitar los controles de acceso para obtener el contenido de los mensajes de chat p\u00fablicos de diferentes reuniones en el servidor. El atacante debe ser un participante en una reuni\u00f3n en el servidor. BigBlueButton versiones 2.3.9 y 2.4-beta-1, contienen un parche para este problema. Actualmente no son conocidas mitigaciones para este problema"
}
],
"id": "CVE-2022-29232",
"lastModified": "2024-11-21T06:58:46.227",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-01T23:15:08.037",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/12861"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.9"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-beta-1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3fqh-p4qr-vfm9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/12861"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-beta-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3fqh-p4qr-vfm9"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-21 15:15
Modified
2024-11-21 05:21
Severity ?
Summary
BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C3387D13-B022-40CE-8B0F-74CFD8DAD88E",
"versionEndExcluding": "2.2.27",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files."
},
{
"lang": "es",
"value": "BigBlueButton versiones anteriores a 2.2.7, presenta una configuraci\u00f3n JODConverter no segura en la que las conversiones de documentos de LibreOffice pueden acceder a archivos externos"
}
],
"id": "CVE-2020-27603",
"lastModified": "2024-11-21T05:21:26.350",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-21T15:15:26.890",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-21 15:15
Modified
2024-11-21 05:21
Severity ?
Summary
BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DFDA0178-046A-4806-9AA6-5A7DF87FB382",
"versionEndIncluding": "2.2.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint."
},
{
"lang": "es",
"value": "BigBlueButton versiones hasta 2.2.8, utiliza recursos STUN/TURN de un tercero, que pueden representar un endpoint no previsto"
}
],
"id": "CVE-2020-27611",
"lastModified": "2024-11-21T05:21:27.840",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-21T15:15:27.437",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "https://docs.bigbluebutton.org/admin/privacy.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/d0bc77c3dbd858295004f15d7a57ec35e6b203d6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://docs.bigbluebutton.org/admin/privacy.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/d0bc77c3dbd858295004f15d7a57ec35e6b203d6"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-327"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-27 20:15
Modified
2024-11-21 07:03
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * | |
| bigbluebutton | bigbluebutton | 2.3.0 | |
| bigbluebutton | bigbluebutton | 2.4.9 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E908036F-9DE8-4FE0-91D0-551180F18E45",
"versionEndExcluding": "2.4.8",
"versionStartIncluding": "2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "00E68199-1E2F-4EED-91DA-5F1D7EF1F2D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "BC4F5D2C-5425-4DCA-BE33-618EDFB75891",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "5380CCEF-88B8-43AA-A76E-18076B1CAE94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "B30DFF3F-F71E-4412-88F8-790A4A4F459B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "F75A0FD2-BF0A-42AE-8D87-1A749BF1B47F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "454FF756-9526-4A5E-A2A5-390393791F37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha5:*:*:*:*:*:*",
"matchCriteriaId": "F7AC4A50-4156-4856-B92D-09E128169D17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha6:*:*:*:*:*:*",
"matchCriteriaId": "2AB075EF-BD7A-4AD6-9B0E-2A0242198626",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:beta1:*:*:*:*:*:*",
"matchCriteriaId": "080771DC-2CB1-4397-B10E-3B267A476205",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:beta2:*:*:*:*:*:*",
"matchCriteriaId": "A3B75DB6-C8D6-4349-AD41-ED203F93623D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:rc.1:*:*:*:*:*:*",
"matchCriteriaId": "6290761B-4651-4737-BEA8-D6CDFD09E9E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:rc.2:*:*:*:*:*:*",
"matchCriteriaId": "B33A1517-C060-4694-A534-E58776451A4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:rc.3:*:*:*:*:*:*",
"matchCriteriaId": "FAEFCFE7-7A4A-4382-AA30-6069ED41D67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:rc.4:*:*:*:*:*:*",
"matchCriteriaId": "6166891D-220A-46A6-A149-76E802FC47D5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim\u0027s client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue."
},
{
"lang": "es",
"value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. Los usuarios de las reuniones con el chat privado habilitado son vulnerables a un ataque de tipo cross site scripting en las versiones afectadas. El ataque es producido cuando el atacante (con un ataque de tipo xss en el nombre) inicia un chat. en el cliente de la v\u00edctima ser\u00e1 ejecutado el JavaScript. Este problema ha sido abordado en las versiones 2.4.8 y 2.5.0. No se presentan mitigaciones conocidas para este problema"
}
],
"id": "CVE-2022-31064",
"lastModified": "2024-11-21T07:03:49.180",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 3.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-27T20:15:08.587",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-Scripting.html"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2022/Jun/52"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15067"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15090"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pf5-hr87"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/167682/BigBlueButton-2.3-2.4.7-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "http://seclists.org/fulldisclosure/2022/Jun/52"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15067"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15090"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-hwv2-5pf5-hr87"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://pentests.nl/pentest-blog/stored-xss-in-bigbluebutton/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-09-29 03:15
Modified
2024-11-21 05:21
Severity ?
Summary
In BigBlueButton before 2.2.7, lockSettingsProps.disablePrivateChat does not apply to already opened chats. This occurs in bigbluebutton-html5/imports/ui/components/chat/service.js.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/bigbluebutton/bigbluebutton/commit/7dcdfb191373684bafa7b11cdd0128c9869040a1 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/commit/7dcdfb191373684bafa7b11cdd0128c9869040a1 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7 | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "65958351-4719-44DC-8032-96E259A03862",
"versionEndExcluding": "2.2.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In BigBlueButton before 2.2.7, lockSettingsProps.disablePrivateChat does not apply to already opened chats. This occurs in bigbluebutton-html5/imports/ui/components/chat/service.js."
},
{
"lang": "es",
"value": "En BigBlueButton versiones anteriores a 2.2.7, el archivo lockSettingsProps.disablePrivateChat no es aplicado a los chats ya abiertos. Esto ocurre en bigbluebutton-html5/imports/ui/components/chat/service.js"
}
],
"id": "CVE-2020-27601",
"lastModified": "2024-11-21T05:21:25.930",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-09-29T03:15:14.023",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/7dcdfb191373684bafa7b11cdd0128c9869040a1"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/7dcdfb191373684bafa7b11cdd0128c9869040a1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-24 16:15
Modified
2024-11-21 06:55
Severity ?
Summary
BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.mgm-sp.com/en/cve-2022-27238-bigbluebutton-xss/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.mgm-sp.com/en/cve-2022-27238-bigbluebutton-xss/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0AF21C97-CC2D-4DEA-933D-9C0F6EFCAF04",
"versionEndIncluding": "2.4.7",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed."
},
{
"lang": "es",
"value": "BigBlueButton versi\u00f3n 2.4.7 (o anterior) es vulnerable a un ataque de tipo Cross-Site Scripting (XSS) almacenado en la funcionalidad private chat. Un actor de la amenaza podr\u00eda inyectar una carga \u00fatil de JavaScript en su nombre de usuario. La carga \u00fatil es ejecutada en el navegador de la v\u00edctima cada vez que el atacante env\u00eda un mensaje privado a la v\u00edctima o cuando se muestra una notificaci\u00f3n sobre la salida del atacante"
}
],
"id": "CVE-2022-27238",
"lastModified": "2024-11-21T06:55:28.333",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-24T16:15:09.243",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://www.mgm-sp.com/en/cve-2022-27238-bigbluebutton-xss/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.mgm-sp.com/en/cve-2022-27238-bigbluebutton-xss/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-21 15:15
Modified
2024-11-21 05:21
Severity ?
Summary
The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "03C04F2C-F450-414C-8C19-66553C737676",
"versionEndExcluding": "2.2.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access."
},
{
"lang": "es",
"value": "El procedimiento de instalaci\u00f3n en BigBlueButton versiones anteriores a 2.2.8 (o anteriores) utilizan ClueCon como la contrase\u00f1a de FreeSWITCH, que permite a los usuarios locales lograr un acceso de FreeSWITCH no previsto"
}
],
"id": "CVE-2020-27613",
"lastModified": "2024-11-21T05:21:28.230",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-21T15:15:27.577",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-312"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-27 20:15
Modified
2024-11-21 07:03
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/pull/15087 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/pull/15090 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8m2p-7qv3-qff7 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/pull/15087 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/pull/15090 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8m2p-7qv3-qff7 | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * | |
| bigbluebutton | bigbluebutton | 2.3.0 | |
| bigbluebutton | bigbluebutton | 2.4.9 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E908036F-9DE8-4FE0-91D0-551180F18E45",
"versionEndExcluding": "2.4.8",
"versionStartIncluding": "2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "00E68199-1E2F-4EED-91DA-5F1D7EF1F2D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "BC4F5D2C-5425-4DCA-BE33-618EDFB75891",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "5380CCEF-88B8-43AA-A76E-18076B1CAE94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "B30DFF3F-F71E-4412-88F8-790A4A4F459B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "F75A0FD2-BF0A-42AE-8D87-1A749BF1B47F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "454FF756-9526-4A5E-A2A5-390393791F37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha5:*:*:*:*:*:*",
"matchCriteriaId": "F7AC4A50-4156-4856-B92D-09E128169D17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha6:*:*:*:*:*:*",
"matchCriteriaId": "2AB075EF-BD7A-4AD6-9B0E-2A0242198626",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:beta1:*:*:*:*:*:*",
"matchCriteriaId": "080771DC-2CB1-4397-B10E-3B267A476205",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:beta2:*:*:*:*:*:*",
"matchCriteriaId": "A3B75DB6-C8D6-4349-AD41-ED203F93623D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:rc.1:*:*:*:*:*:*",
"matchCriteriaId": "6290761B-4651-4737-BEA8-D6CDFD09E9E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:rc.2:*:*:*:*:*:*",
"matchCriteriaId": "B33A1517-C060-4694-A534-E58776451A4A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:rc.3:*:*:*:*:*:*",
"matchCriteriaId": "FAEFCFE7-7A4A-4382-AA30-6069ED41D67B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:rc.4:*:*:*:*:*:*",
"matchCriteriaId": "6166891D-220A-46A6-A149-76E802FC47D5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim\u0027s client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue."
},
{
"lang": "es",
"value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. En versiones afectadas un atacante puede insertar JS malicioso en su nombre de usuario y hacer que sea ejecutado en el cliente de la v\u00edctima. Cuando un usuario recibe un chat privado del atacante (cuyo nombre de usuario contiene JavaScript malicioso), el script ser\u00e1 ejecutado. Adem\u00e1s, cuando la v\u00edctima recibe una notificaci\u00f3n de que el atacante ha abandonado la sesi\u00f3n. Este problema ha sido parcheado en versiones 2.4.8 y 2.5.0. No se presentan mitigaciones conocidas para este problema"
}
],
"id": "CVE-2022-31065",
"lastModified": "2024-11-21T07:03:49.330",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 3.7,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-27T20:15:08.650",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15087"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15090"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8m2p-7qv3-qff7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15087"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15090"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-8m2p-7qv3-qff7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-01 23:15
Modified
2024-11-21 06:58
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service for the bbb-html5 service. The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). This function handles input by regexing and attackers can abuse that by providing some ReDos payload using `SmartWatch`. The maintainers removed `htmlclient/useragent` from versions 2.3.19, 2.4.7, and 2.5.0-beta.2. As a workaround, disable NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/pull/14886 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/pull/14896 | Patch, Third Party Advisory | |
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rwrv-p665-4vwp | Mitigation, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/pull/14886 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/pull/14896 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rwrv-p665-4vwp | Mitigation, Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * | |
| bigbluebutton | bigbluebutton | * | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 | |
| bigbluebutton | bigbluebutton | 2.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A9BA43E-5B7C-4B62-AE0E-72776BD3F281",
"versionEndExcluding": "2.3.19",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2DC6C975-3730-40C0-9FE1-EE4A40BCF98B",
"versionEndExcluding": "2.4.7",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "5380CCEF-88B8-43AA-A76E-18076B1CAE94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "B30DFF3F-F71E-4412-88F8-790A4A4F459B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "F75A0FD2-BF0A-42AE-8D87-1A749BF1B47F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "454FF756-9526-4A5E-A2A5-390393791F37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha5:*:*:*:*:*:*",
"matchCriteriaId": "F7AC4A50-4156-4856-B92D-09E128169D17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:alpha6:*:*:*:*:*:*",
"matchCriteriaId": "2AB075EF-BD7A-4AD6-9B0E-2A0242198626",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.5:beta1:*:*:*:*:*:*",
"matchCriteriaId": "080771DC-2CB1-4397-B10E-3B267A476205",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service for the bbb-html5 service. The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). This function handles input by regexing and attackers can abuse that by providing some ReDos payload using `SmartWatch`. The maintainers removed `htmlclient/useragent` from versions 2.3.19, 2.4.7, and 2.5.0-beta.2. As a workaround, disable NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory."
},
{
"lang": "es",
"value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. Las versiones a partir de 2.2 y anteriores a 2.3.19, 2.4.7 y 2.5.0-beta.2 son vulnerables a ataques de denegaci\u00f3n de servicio con expresiones regulares (ReDoS). Usando una RegularExpression espec\u00edfica, un atacante puede causar una denegaci\u00f3n de servicio para el servicio bbb-html5. La biblioteca useragent lleva a cabo una comprobaci\u00f3n del dispositivo al analizar la entrada del encabezado User-Agent y la hace pasar por lookupUserAgent() (alias de useragent.lookup() ). Esta funci\u00f3n maneja la entrada mediante regexing y atacantes pueden abusar de ello al proporcionar alguna carga \u00fatil ReDos usando \"SmartWatch\". Los mantenedores han eliminado \"htmlclient/useragent\" de las versiones 2.3.19, 2.4.7 y 2.5.0-beta.2. Como mitigaci\u00f3n, deshabilite que NginX reenv\u00ede las peticiones al administrador seg\u00fan las indicaciones del aviso de seguridad de GitHub"
}
],
"id": "CVE-2022-29169",
"lastModified": "2024-11-21T06:58:37.840",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-01T23:15:07.970",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14886"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14896"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rwrv-p665-4vwp"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14886"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14896"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rwrv-p665-4vwp"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-26 18:15
Modified
2024-11-21 05:23
Severity ?
Summary
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/160239/BigBlueButton-2.2.29-E-mail-Validation-Bypass.html | Third Party Advisory | |
| cve@mitre.org | https://cxsecurity.com/issue/WLB-2020110211 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://github.com/bigbluebutton/bigbluebutton/releases | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/160239/BigBlueButton-2.2.29-E-mail-Validation-Bypass.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cxsecurity.com/issue/WLB-2020110211 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/releases | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "02004AC1-A2BB-4587-B803-24A6B6D4751B",
"versionEndIncluding": "2.2.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en BigBlueButton versiones hasta 2.2.29.\u0026#xa0;Cuando el atacante puede visualizar un URI account_activations/edit?token=, el atacante puede crear una cuenta de usuario aprobada asociada con una direcci\u00f3n de correo electr\u00f3nico que tenga un nombre de dominio arbitrario"
}
],
"id": "CVE-2020-29043",
"lastModified": "2024-11-21T05:23:34.977",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-26T18:15:10.633",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/160239/BigBlueButton-2.2.29-E-mail-Validation-Bypass.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cxsecurity.com/issue/WLB-2020110211"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://packetstormsecurity.com/files/160239/BigBlueButton-2.2.29-E-mail-Validation-Bypass.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://cxsecurity.com/issue/WLB-2020110211"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-04-29 02:15
Modified
2024-11-21 04:59
Severity ?
Summary
BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to bigbluebutton.properties. NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/bigbluebutton/bigbluebutton/pull/9259/commits/b21ca8355a57286a1e6df96984b3a4c57679a463 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/mclab-hbrs/BBB-POC | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/pull/9259/commits/b21ca8355a57286a1e6df96984b3a4c57679a463 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/mclab-hbrs/BBB-POC | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D85D343D-D25C-4B39-A011-2E4987CECD52",
"versionEndExcluding": "2.2.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to bigbluebutton.properties. NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive."
},
{
"lang": "es",
"value": "BigBlueButton versiones anteriores a 2.2.6, permite a atacantes remotos leer archivos arbitrarios porque el valor de presfilename (min\u00fasculas) puede ser un nombre de archivo .pdf mientras que el valor de presFilename (may\u00fasculas y min\u00fasculas) presenta una secuencia ../. Esto puede ser aprovechado para una escalada de privilegios por medio de un salto de directorio en bigbluebutton.properties. NOTA: este problema existe debido a una mitigaci\u00f3n ineficaz de CVE-2020-12112 en la que se intent\u00f3 corregir dentro de un archivo de configuraci\u00f3n NGINX, sin considerar que la parte relevante de NGINX no distingue entre may\u00fasculas y min\u00fasculas."
}
],
"id": "CVE-2020-12443",
"lastModified": "2024-11-21T04:59:43.700",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-04-29T02:15:11.467",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/9259/commits/b21ca8355a57286a1e6df96984b3a4c57679a463"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/mclab-hbrs/BBB-POC"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/9259/commits/b21ca8355a57286a1e6df96984b3a4c57679a463"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/mclab-hbrs/BBB-POC"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-02 00:15
Modified
2024-11-21 06:58
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s any lock setting in the meeting was changed. The attacker needs to be a participant in the meeting. Versions 2.3.18 and 2.4.1 contain a patch for this issue. There are currently no known workarounds.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * | |
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "60814A0D-57C0-4407-B7DD-26A9D5C3DBB1",
"versionEndExcluding": "2.3.18",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B0BE662F-4DB9-457E-8C04-F16081946A64",
"versionEndExcluding": "2.4.1",
"versionStartIncluding": "2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s any lock setting in the meeting was changed. The attacker needs to be a participant in the meeting. Versions 2.3.18 and 2.4.1 contain a patch for this issue. There are currently no known workarounds."
},
{
"lang": "es",
"value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. A partir de la versi\u00f3n 2.2 y versiones hasta 2.3.18 y 2.4.1, un atacante pod\u00eda enviar mensajes a un chat bloqueado dentro de un per\u00edodo de gracia de 5s despu\u00e9s de la configuraci\u00f3n del bloqueo. El atacante debe ser un participante en la reuni\u00f3n. Las versiones 2.3.18 y 2.4.1 contienen un parche para este problema. Actualmente no son conocidas mitigaciones"
}
],
"id": "CVE-2022-29234",
"lastModified": "2024-11-21T06:58:46.477",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-02T00:15:08.290",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/13850"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-36vc-c338-6xjv"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/13850"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-36vc-c338-6xjv"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-285"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-12-17 01:15
Modified
2024-11-21 06:48
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq | Patch, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "91AA496D-9C0A-4900-96D5-33E4180B74D4",
"versionEndExcluding": "2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "C136F53E-2EC5-433F-B354-88DA37689142",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "626A8774-BC38-4F11-A16B-918EC8740C82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta1:*:*:*:*:*:*",
"matchCriteriaId": "33735D00-C2AC-4FDA-B47B-B15D099F26F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta2:*:*:*:*:*:*",
"matchCriteriaId": "98890F0C-2E60-4696-A6E5-F44FB2A1A5BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta3:*:*:*:*:*:*",
"matchCriteriaId": "0C916210-11BF-4F4C-AE3E-29D27135F3F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta4:*:*:*:*:*:*",
"matchCriteriaId": "ABB37B70-021E-48F6-B3D2-0790A4729A3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "407E0358-75E5-41D9-A624-3C15D2145DDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc2:*:*:*:*:*:*",
"matchCriteriaId": "12259673-5B79-40E4-8B08-8CB3B9C1A5A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc3:*:*:*:*:*:*",
"matchCriteriaId": "EC135064-4919-4759-BC25-34C7868F6431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A0173198-BFAB-49E5-898E-173503C452C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc5:*:*:*:*:*:*",
"matchCriteriaId": "CCB8C413-ECD9-47BF-963C-B3A0F25A1BD8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers\u0027 webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds."
},
{
"lang": "es",
"value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. Las versiones anteriores a la 2.4-rc-6 son vulnerables a la inserci\u00f3n de informaci\u00f3n confidencial en los datos enviados. La configuraci\u00f3n de bloqueo de c\u00e1maras web exclusivas para moderadores no se aplica en el backend, lo que permite a un atacante suscribirse a las c\u00e1maras web de los espectadores, incluso cuando se aplica la configuraci\u00f3n de bloqueo. (El streamId requerido se enviaba a todos los usuarios incluso con la configuraci\u00f3n de bloqueo aplicada). Este problema se solucion\u00f3 en la versi\u00f3n 2.4-rc-6. No hay workaround."
}
],
"id": "CVE-2022-23488",
"lastModified": "2024-11-21T06:48:39.983",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-12-17T01:15:09.293",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-j5g3-f74q-rvfq"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-201"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-21 15:15
Modified
2024-11-21 05:21
Severity ?
Summary
BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "03C04F2C-F450-414C-8C19-66553C737676",
"versionEndExcluding": "2.2.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session."
},
{
"lang": "es",
"value": "BigBlueButton versiones anteriores a 2.2.8 (o anterior) no establece el flag seguro para la cookie de sesi\u00f3n en una sesi\u00f3n https, lo que facilita a los atacantes remotos capturar esta cookie al interceptar su transmisi\u00f3n dentro de una sesi\u00f3n http"
}
],
"id": "CVE-2020-27606",
"lastModified": "2024-11-21T05:21:26.930",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-21T15:15:27.110",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-21 15:15
Modified
2024-11-21 05:21
Severity ?
Summary
In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "03C04F2C-F450-414C-8C19-66553C737676",
"versionEndExcluding": "2.2.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document."
},
{
"lang": "es",
"value": "En BigBlueButton versiones anteriores a 2.2.8 (o anteriores), las presentaciones cargadas son enviadas hacia los clientes sin un encabezado Content-Type, que permite un ataque de tipo XSS, como es demostrado por una extensi\u00f3n de archivo .png para un documento HTML"
}
],
"id": "CVE-2020-27608",
"lastModified": "2024-11-21T05:21:27.283",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-21T15:15:27.250",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-30 19:15
Modified
2024-11-21 08:23
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * | |
| bigbluebutton | bigbluebutton | 2.6.0 | |
| bigbluebutton | bigbluebutton | 2.6.0 | |
| bigbluebutton | bigbluebutton | 2.6.0 | |
| bigbluebutton | bigbluebutton | 2.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5F3F6566-B94F-4CBC-B1BA-DACA51865D76",
"versionEndIncluding": "2.5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "83C1F894-31BC-4C2D-AD62-837D990257CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "84EE596E-A3F6-4B29-B51D-CAE19A74D5E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "A8DD6CB9-0B7E-4C4E-BDC6-D8FD1B85882D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "1BA4033B-60B8-4674-98CA-F5794B905362",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds."
},
{
"lang": "es",
"value": "BigBlueButton es un aula virtual de c\u00f3digo abierto. BigBlueButton anterior a la versi\u00f3n 2.6.0-beta.1 tiene una vulnerabilidad de path traversal que permite a un atacante con una ruta de carpeta de inicio v\u00e1lida atravesar y leer otros archivos sin autenticaci\u00f3n, asumiendo que los archivos tienen ciertas extensiones (txt, swf, svg, png). En la versi\u00f3n 2.6.0-beta.1, se agreg\u00f3 validaci\u00f3n de entrada en los par\u00e1metros que se pasan y se eliminan los caracteres peligrosos. No se conocen workarounds."
}
],
"id": "CVE-2023-42804",
"lastModified": "2024-11-21T08:23:11.483",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-30T19:15:08.037",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15960"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15960"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-04-23 18:15
Modified
2024-11-21 04:59
Severity ?
Summary
BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9B080A47-5699-4BFF-B28A-9C83C380C244",
"versionEndExcluding": "2.2.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used."
},
{
"lang": "es",
"value": "BigBlueButton versiones anteriores a 2.2.4, permite un ataque de tipo XSS por medio de subt\u00edtulos porque es usada la funci\u00f3n dangerouslySetInnerHTML en React."
}
],
"id": "CVE-2020-12113",
"lastModified": "2024-11-21T04:59:16.490",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-04-23T18:15:11.777",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/9017"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.2.4"
},
{
"source": "cve@mitre.org",
"url": "https://www.sakshamanand.com/cve-2020-12113/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/9017"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.2.4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.sakshamanand.com/cve-2020-12113/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-21 15:15
Modified
2024-11-21 05:21
Severity ?
Summary
Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://docs.bigbluebutton.org/admin/privacy.html | Not Applicable | |
| af854a3a-2127-422b-91ae-364da2661108 | https://docs.bigbluebutton.org/admin/privacy.html | Not Applicable |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DFDA0178-046A-4806-9AA6-5A7DF87FB382",
"versionEndIncluding": "2.2.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window."
},
{
"lang": "es",
"value": "Greenlight en BigBlueButton versiones hasta 2.2.8, coloca los nombres de usuario en las URL de la sala, lo que puede representar un filtrado de informaci\u00f3n involuntario para los usuarios en una sala, o un filtrado de informaci\u00f3n para los extra\u00f1os si alg\u00fan usuario publica una captura de pantalla de una ventana del navegador"
}
],
"id": "CVE-2020-27612",
"lastModified": "2024-11-21T05:21:28.033",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-21T15:15:27.517",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "https://docs.bigbluebutton.org/admin/privacy.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://docs.bigbluebutton.org/admin/privacy.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-21 15:15
Modified
2024-11-21 05:21
Severity ?
Summary
The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "03C04F2C-F450-414C-8C19-66553C737676",
"versionEndExcluding": "2.2.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access."
},
{
"lang": "es",
"value": "El procedimiento de instalaci\u00f3n en BigBlueButton versiones anteriores a 2.2.8 (o anterior) expone determinados servicios de red a interfaces externas y no configura autom\u00e1ticamente una configuraci\u00f3n de firewall para bloquear el acceso externo"
}
],
"id": "CVE-2020-27610",
"lastModified": "2024-11-21T05:21:27.660",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-21T15:15:27.373",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-21 15:15
Modified
2024-11-21 05:21
Severity ?
Summary
In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or transmit it to one or more meeting participants or other third parties.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "03C04F2C-F450-414C-8C19-66553C737676",
"versionEndExcluding": "2.2.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or transmit it to one or more meeting participants or other third parties."
},
{
"lang": "es",
"value": "En BigBlueButton versiones anteriores a 2.2.8 (o anterior), el bot\u00f3n Mute del lado del cliente solo significa que el servidor debe dejar de aceptar datos de audio del cliente.\u0026#xa0;No configura directamente al cliente para que deje de enviar datos de audio al servidor y, por lo tanto, un servidor modificado podr\u00eda almacenar los datos de audio y/o transmitirlos a uno o m\u00e1s participantes de la reuni\u00f3n u otros terceros"
}
],
"id": "CVE-2020-27607",
"lastModified": "2024-11-21T05:21:27.113",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-21T15:15:27.170",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-12-16 14:15
Modified
2024-11-21 07:24
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access is revoked. The attacker must be a meeting participant. This issue is patched in version 2.4.3 an version 2.5-alpha-1
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6p9-926c-6qfp | Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6p9-926c-6qfp | Patch, Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "56A77DE5-1BFB-4B62-8C14-A2347B85F844",
"versionEndExcluding": "2.4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access is revoked. The attacker must be a meeting participant. This issue is patched in version 2.4.3 an version 2.5-alpha-1"
},
{
"lang": "es",
"value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. Las versiones anteriores a la 2.4.3 contienen un per\u00edodo de gracia de pizarra que existe para manejar mensajes retrasados, pero los atacantes podr\u00edan utilizar este per\u00edodo de gracia para tomar acciones en los pocos segundos posteriores a la revocaci\u00f3n de su acceso. El atacante debe ser un participante de la reuni\u00f3n. Este problema se solucion\u00f3 en la versi\u00f3n 2.4.3 y la versi\u00f3n 2.5-alpha-1."
}
],
"id": "CVE-2022-41963",
"lastModified": "2024-11-21T07:24:09.863",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-12-16T14:15:09.170",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6p9-926c-6qfp"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6p9-926c-6qfp"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-281"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-12-16 00:15
Modified
2024-11-21 07:24
Severity ?
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Summary
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "56A77DE5-1BFB-4B62-8C14-A2347B85F844",
"versionEndExcluding": "2.4.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim\u0027s userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim\u0027s client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds."
},
{
"lang": "es",
"value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. Las versiones anteriores a la 2.4.3 est\u00e1n sujetas a una verificaci\u00f3n insuficiente de la autenticidad de los datos, lo que resulta en una Denegaci\u00f3n de Servicio (DoS). Un atacante puede realizar una llamada Meteor a \"validateAuthToken\" utilizando el ID de usuario, el ID de reuni\u00f3n y un token de autenticaci\u00f3n no v\u00e1lido de la v\u00edctima. Esto obliga a la v\u00edctima a abandonar la conferencia, porque el cliente de la v\u00edctima tambi\u00e9n observa y maneja el error de verificaci\u00f3n resultante. El atacante debe participar en cualquier reuni\u00f3n en el servidor. Este problema se solucion\u00f3 en la versi\u00f3n 2.4.3. No hay workaround."
}
],
"id": "CVE-2022-41960",
"lastModified": "2024-11-21T07:24:09.460",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-12-16T00:15:13.530",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-rgjp-3r74-g4cm"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-345"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-11-19 22:15
Modified
2024-11-21 05:23
Severity ?
Summary
In BigBlueButton before 2.2.29, a user can vote more than once in a single poll.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/bigbluebutton/bigbluebutton/commit/d2cb02b3bd670265c6b1ba003f87fc261e0ac3e1 | Patch, Third Party Advisory | |
| cve@mitre.org | https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/commit/d2cb02b3bd670265c6b1ba003f87fc261e0ac3e1 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29 | Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5FA0DCDA-3F90-4D22-A5A1-E6CD7861C2B8",
"versionEndExcluding": "2.2.29",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "In BigBlueButton before 2.2.29, a user can vote more than once in a single poll."
},
{
"lang": "es",
"value": "En BigBlueButton versiones anteriores a 2.2.29, un usuario puede votar m\u00e1s de una vez en una sola encuesta"
}
],
"id": "CVE-2020-28953",
"lastModified": "2024-11-21T05:23:22.367",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-11-19T22:15:13.677",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/d2cb02b3bd670265c6b1ba003f87fc261e0ac3e1"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/d2cb02b3bd670265c6b1ba003f87fc261e0ac3e1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-02 00:15
Modified
2024-11-21 06:58
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the current timestamp and play/pause. The problem has been patched in versions 2.3.18 and 2.4-rc-6 by modifying the stream to send the data only for users in the meeting. There are currently no known workarounds.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "60814A0D-57C0-4407-B7DD-26A9D5C3DBB1",
"versionEndExcluding": "2.3.18",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "C136F53E-2EC5-433F-B354-88DA37689142",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "626A8774-BC38-4F11-A16B-918EC8740C82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta1:*:*:*:*:*:*",
"matchCriteriaId": "33735D00-C2AC-4FDA-B47B-B15D099F26F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta2:*:*:*:*:*:*",
"matchCriteriaId": "98890F0C-2E60-4696-A6E5-F44FB2A1A5BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta3:*:*:*:*:*:*",
"matchCriteriaId": "0C916210-11BF-4F4C-AE3E-29D27135F3F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta4:*:*:*:*:*:*",
"matchCriteriaId": "ABB37B70-021E-48F6-B3D2-0790A4729A3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "407E0358-75E5-41D9-A624-3C15D2145DDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc3:*:*:*:*:*:*",
"matchCriteriaId": "EC135064-4919-4759-BC25-34C7868F6431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A0173198-BFAB-49E5-898E-173503C452C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc5:*:*:*:*:*:*",
"matchCriteriaId": "CCB8C413-ECD9-47BF-963C-B3A0F25A1BD8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the current timestamp and play/pause. The problem has been patched in versions 2.3.18 and 2.4-rc-6 by modifying the stream to send the data only for users in the meeting. There are currently no known workarounds."
},
{
"lang": "es",
"value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. A partir de la versi\u00f3n 2.2 y versiones hasta 2.3.18 y 2.4-rc-6, un atacante que sea capaz de obtener el identificador de una reuni\u00f3n en un servidor puede encontrar informaci\u00f3n relacionada con un v\u00eddeo externo que esta siendo compartiendo, como la marca de tiempo actual y la reproducci\u00f3n/pausa. El problema ha sido parcheado en versiones 2.3.18 y 2.4-rc-6, al modificar el flujo para enviar los datos s\u00f3lo para usuarios de la reuni\u00f3n. Actualmente no son conocidas mitigaciones"
}
],
"id": "CVE-2022-29235",
"lastModified": "2024-11-21T06:58:46.600",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-02T00:15:08.390",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/13788"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/13788"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/14265"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.3.18"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-x82p-j22f-v4q6"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-12-16 13:15
Modified
2024-11-21 07:24
Severity ?
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
2.7 (Low) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Summary
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6, and 2.5-alpha-1 contain Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji status for other users. Moderators should only be able to set none as the status of other users. This issue is patched in 2.4-rc-6 and 2.5-alpha-1There are no workarounds.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1 | Release Notes, Third Party Advisory | |
| security-advisories@github.com | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-88qf-33qm-9mm7 | Patch, Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1 | Release Notes, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-88qf-33qm-9mm7 | Patch, Release Notes, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 | |
| bigbluebutton | bigbluebutton | 2.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "91AA496D-9C0A-4900-96D5-33E4180B74D4",
"versionEndExcluding": "2.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "C136F53E-2EC5-433F-B354-88DA37689142",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "626A8774-BC38-4F11-A16B-918EC8740C82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta1:*:*:*:*:*:*",
"matchCriteriaId": "33735D00-C2AC-4FDA-B47B-B15D099F26F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta2:*:*:*:*:*:*",
"matchCriteriaId": "98890F0C-2E60-4696-A6E5-F44FB2A1A5BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta3:*:*:*:*:*:*",
"matchCriteriaId": "0C916210-11BF-4F4C-AE3E-29D27135F3F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:beta4:*:*:*:*:*:*",
"matchCriteriaId": "ABB37B70-021E-48F6-B3D2-0790A4729A3C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc1:*:*:*:*:*:*",
"matchCriteriaId": "407E0358-75E5-41D9-A624-3C15D2145DDE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc3:*:*:*:*:*:*",
"matchCriteriaId": "EC135064-4919-4759-BC25-34C7868F6431",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc4:*:*:*:*:*:*",
"matchCriteriaId": "A0173198-BFAB-49E5-898E-173503C452C2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.4:rc5:*:*:*:*:*:*",
"matchCriteriaId": "CCB8C413-ECD9-47BF-963C-B3A0F25A1BD8",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6, and 2.5-alpha-1 contain Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji status for other users. Moderators should only be able to set none as the status of other users. This issue is patched in 2.4-rc-6 and 2.5-alpha-1There are no workarounds. "
},
{
"lang": "es",
"value": "BigBlueButton es un sistema de conferencias web de c\u00f3digo abierto. Las versiones anteriores a 2.4-rc-6 y 2.5-alpha-1 contienen autorizaci\u00f3n incorrecta para configurar el estado de emoji. Un usuario con derechos de moderador puede utilizar la funci\u00f3n de borrar estado para establecer cualquier estado de emoji para otros usuarios. Los moderadores s\u00f3lo deber\u00edan poder establecer ninguno como estado de otros usuarios. Este problema est\u00e1 parcheado en 2.4-rc-6 y 2.5-alpha-1. No existen workarounds."
}
],
"id": "CVE-2022-41962",
"lastModified": "2024-11-21T07:24:09.730",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-12-16T13:15:09.013",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-88qf-33qm-9mm7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-88qf-33qm-9mm7"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-30 23:15
Modified
2024-11-21 08:24
Severity ?
5.6 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at `httpclient.execute` since the software no longer has to follow it when using `finalUrl`. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * | |
| bigbluebutton | bigbluebutton | 2.7.0 | |
| bigbluebutton | bigbluebutton | 2.7.0 | |
| bigbluebutton | bigbluebutton | 2.7.0 | |
| bigbluebutton | bigbluebutton | 2.7.0 | |
| bigbluebutton | bigbluebutton | 2.7.0 | |
| bigbluebutton | bigbluebutton | 2.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "07AC33B9-3067-4848-B48D-ABDD7286DE51",
"versionEndExcluding": "2.6.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "C05D5D11-75BE-41FA-A62F-61F35B16BA9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "C23D21AA-EF44-4F61-9775-57E3AF206CEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "1E95E50E-3C1E-438A-BAEC-AE0DF69B2937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "A7EC2B6A-1A13-40FE-85D6-30D596813394",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "5A7D33D7-AE88-4ED4-82A4-BCFA7E828AD1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "49CCF586-942D-4B21-BFD2-486EF3FCDF7E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at `httpclient.execute` since the software no longer has to follow it when using `finalUrl`. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton."
},
{
"lang": "es",
"value": "BigBlueButton es un aula virtual de c\u00f3digo abierto. BigBlueButton anterior a las versiones 2.6.12 y 2.7.0-rc.1 es vulnerable a Server-Side Request Forgery (SSRF). Este problema es una omisi\u00f3n de CVE-2023-33176. Un parche en las versiones 2.6.12 y 2.7.0-rc.1 deshabilit\u00f3 el redireccionamiento de seguimiento en `httpclient.execute` ya que el software ya no tiene que seguirlo cuando usa `finalUrl`. No se conocen workarounds. Recomendamos actualizar a una versi\u00f3n parcheada de BigBlueButton."
}
],
"id": "CVE-2023-43798",
"lastModified": "2024-11-21T08:24:48.393",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-30T23:15:08.397",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18494"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18580"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-h98v-2h8w-99c4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18494"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18580"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3q22-hph2-cff7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-h98v-2h8w-99c4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-04-23 18:15
Modified
2024-11-21 04:59
Severity ?
Summary
BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "29AB9D9E-E49D-4524-B78B-87516CF87C38",
"versionEndExcluding": "2.2.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion."
},
{
"lang": "es",
"value": "BigBlueButton versiones anteriores a 2.2.5, permite a atacantes remotos conseguir archivos confidenciales por medio de una Inclusi\u00f3n de un Archivo Local."
}
],
"id": "CVE-2020-12112",
"lastModified": "2024-11-21T04:59:16.353",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-04-23T18:15:11.717",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://cwe.mitre.org/data/definitions/23.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.4...v2.2.5"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/tchenu/CVE-2020-12112"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://twitter.com/bigbluebutton/status/1252706369486180353"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://twitter.com/thibeault_chenu/status/1249976515917422593"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://cwe.mitre.org/data/definitions/23.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.4...v2.2.5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://github.com/tchenu/CVE-2020-12112"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://twitter.com/bigbluebutton/status/1252706369486180353"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://twitter.com/thibeault_chenu/status/1249976515917422593"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-30 19:15
Modified
2024-11-21 08:23
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures. BigBlueButton 2.6.0-beta.2 contains a patch. There are no known workarounds.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * | |
| bigbluebutton | bigbluebutton | 2.6.0 | |
| bigbluebutton | bigbluebutton | 2.6.0 | |
| bigbluebutton | bigbluebutton | 2.6.0 | |
| bigbluebutton | bigbluebutton | 2.6.0 | |
| bigbluebutton | bigbluebutton | 2.6.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5F3F6566-B94F-4CBC-B1BA-DACA51865D76",
"versionEndIncluding": "2.5.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "83C1F894-31BC-4C2D-AD62-837D990257CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "84EE596E-A3F6-4B29-B51D-CAE19A74D5E3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "A8DD6CB9-0B7E-4C4E-BDC6-D8FD1B85882D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha4:*:*:*:*:*:*",
"matchCriteriaId": "1BA4033B-60B8-4674-98CA-F5794B905362",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "66F6441F-A11A-424B-BB9C-1CFF5F95B02E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures. BigBlueButton 2.6.0-beta.2 contains a patch. There are no known workarounds."
},
{
"lang": "es",
"value": "BigBlueButton es un aula virtual de c\u00f3digo abierto. BigBlueButton anterior a la versi\u00f3n 2.6.0-beta.2 es vulnerable a la carga de archivos sin restricciones, donde la llamada a la API insertDocument no valida la extensi\u00f3n de archivo dada antes de guardar el archivo y no la elimina en caso de fallas de validaci\u00f3n. BigBlueButton 2.6.0-beta.2 contiene un parche. No se conocen workarounds."
}
],
"id": "CVE-2023-42803",
"lastModified": "2024-11-21T08:23:11.353",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-30T19:15:07.963",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15990"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-w98f-6x8w-xhjc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/15990"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-w98f-6x8w-xhjc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-434"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-10-21 15:15
Modified
2024-11-21 05:21
Severity ?
Summary
BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html | Exploit, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DFDA0178-046A-4806-9AA6-5A7DF87FB382",
"versionEndIncluding": "2.2.28",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a \"schwache Sandbox.\""
},
{
"lang": "es",
"value": "BigBlueButton versiones hasta 2.2.8, utiliza Ghostscript para el procesamiento de documentos EPS cargados y, en consecuencia, puede estar sujeto a ataques relacionados con un \"Schwache Sandbox\""
}
],
"id": "CVE-2020-27605",
"lastModified": "2024-11-21T05:21:26.743",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-10-21T15:15:27.030",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2023-10-30 23:15
Modified
2024-11-21 08:24
Severity ?
6.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was added for lobby messages starting in versions 2.6.11 and 2.7.0-beta.3. There are no known workarounds.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * | |
| bigbluebutton | bigbluebutton | 2.7.0 | |
| bigbluebutton | bigbluebutton | 2.7.0 | |
| bigbluebutton | bigbluebutton | 2.7.0 | |
| bigbluebutton | bigbluebutton | 2.7.0 | |
| bigbluebutton | bigbluebutton | 2.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E83CAE24-2B29-4265-B5E8-17E89637F0DF",
"versionEndExcluding": "2.6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha1:*:*:*:*:*:*",
"matchCriteriaId": "C05D5D11-75BE-41FA-A62F-61F35B16BA9A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha2:*:*:*:*:*:*",
"matchCriteriaId": "C23D21AA-EF44-4F61-9775-57E3AF206CEE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:alpha3:*:*:*:*:*:*",
"matchCriteriaId": "1E95E50E-3C1E-438A-BAEC-AE0DF69B2937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "A7EC2B6A-1A13-40FE-85D6-30D596813394",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:bigbluebutton:bigbluebutton:2.7.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "5A7D33D7-AE88-4ED4-82A4-BCFA7E828AD1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was added for lobby messages starting in versions 2.6.11 and 2.7.0-beta.3. There are no known workarounds."
},
{
"lang": "es",
"value": "BigBlueButton es un aula virtual de c\u00f3digo abierto. Antes de las versiones 2.6.11 y 2.7.0-beta.3, Guest Lobby era vulnerable a cross-site scripting cuando los usuarios esperaban para ingresar a la reuni\u00f3n debido a la inserci\u00f3n de mensajes no sanitizados en el elemento mediante un HTML interno no seguro. Se agreg\u00f3 sanitizaci\u00f3n de texto para los mensajes del lobby a partir de las versiones 2.6.11 y 2.7.0-beta.3. No se conocen workarounds."
}
],
"id": "CVE-2023-43797",
"lastModified": "2024-11-21T08:24:48.270",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-10-30T23:15:08.317",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/304bc851a00558f99a908880f4ac44234a074c9d"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18392"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q866-h73x"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/commit/304bc851a00558f99a908880f4ac44234a074c9d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/pull/18392"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-v6wg-q866-h73x"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}