Filtered by vendor Bigbluebutton
Subscriptions
Total
47 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-42803 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-09-06 | 5.3 Medium |
| BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures. BigBlueButton 2.6.0-beta.2 contains a patch. There are no known workarounds. | ||||
| CVE-2023-42804 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-09-05 | 3.1 Low |
| BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds. | ||||
| CVE-2023-43797 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-09-05 | 6.3 Medium |
| BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was added for lobby messages starting in versions 2.6.11 and 2.7.0-beta.3. There are no known workarounds. | ||||
| CVE-2023-43798 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-09-05 | 5.6 Medium |
| BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at `httpclient.execute` since the software no longer has to follow it when using `finalUrl`. There are no known workarounds. We recommend upgrading to a patched version of BigBlueButton. | ||||
| CVE-2020-28954 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 5.3 Medium |
| web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name. | ||||
| CVE-2020-29043 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 7.5 High |
| An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name. | ||||
| CVE-2020-29042 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 3.7 Low |
| An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code. | ||||
| CVE-2020-28953 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 4.3 Medium |
| In BigBlueButton before 2.2.29, a user can vote more than once in a single poll. | ||||
| CVE-2020-27602 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 9.8 Critical |
| BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken. | ||||
| CVE-2020-27611 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 7.3 High |
| BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint. | ||||
| CVE-2020-27610 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 7.5 High |
| The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access. | ||||
| CVE-2020-27642 | 1 Bigbluebutton | 1 Greenlight | 2024-08-04 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability exists in the 'merge account' functionality in admins.js in BigBlueButton Greenlight 2.7.6. | ||||
| CVE-2020-27605 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 9.8 Critical |
| BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox." | ||||
| CVE-2020-27604 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 6.5 Medium |
| BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting. | ||||
| CVE-2020-27606 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 5.3 Medium |
| BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | ||||
| CVE-2020-27603 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 7.5 High |
| BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files. | ||||
| CVE-2020-27609 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 5.3 Medium |
| BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant. | ||||
| CVE-2020-27612 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 4.3 Medium |
| Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window. | ||||
| CVE-2020-27608 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 6.1 Medium |
| In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document. | ||||
| CVE-2020-27601 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 3.5 Low |
| In BigBlueButton before 2.2.7, lockSettingsProps.disablePrivateChat does not apply to already opened chats. This occurs in bigbluebutton-html5/imports/ui/components/chat/service.js. | ||||