Filtered by vendor Bigbluebutton
Subscriptions
Total
47 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2020-27613 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 8.4 High |
| The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access. | ||||
| CVE-2020-27607 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 6.5 Medium |
| In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or transmit it to one or more meeting participants or other third parties. | ||||
| CVE-2020-26163 | 1 Bigbluebutton | 1 Greenlight | 2024-08-04 | 8.8 High |
| BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a victim follows a spoofed password-reset link. | ||||
| CVE-2020-25820 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 6.5 Medium |
| BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field. | ||||
| CVE-2020-12443 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 9.8 Critical |
| BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to bigbluebutton.properties. NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive. | ||||
| CVE-2020-12112 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 7.5 High |
| BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion. | ||||
| CVE-2020-12113 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-04 | 6.1 Medium |
| BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used. | ||||
| CVE-2021-4143 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-03 | 6.1 Medium |
| Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0. | ||||
| CVE-2022-41963 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-03 | 2.7 Low |
| BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access is revoked. The attacker must be a meeting participant. This issue is patched in version 2.4.3 an version 2.5-alpha-1 | ||||
| CVE-2022-41964 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-03 | 5.7 Medium |
| BigBlueButton is an open source web conferencing system. This vulnerability only affects release candidates of BigBlueButton 2.4. The attacker can start a subscription for poll results before starting an anonymous poll, and use this subscription to see individual responses in the anonymous poll. The attacker had to be a meeting presenter. This issue is patched in version 2.4.0. There are no workarounds. | ||||
| CVE-2022-41961 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-03 | 4.3 Medium |
| BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users from the same extId. This issue has been fixed by improving permissions such that banning a user removes all users related to their extId, including registered users that have not joined the meeting. This issue is patched in versions 2.4-rc-6 and 2.5-alpha-1. There are no workarounds. | ||||
| CVE-2022-41962 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-03 | 2.7 Low |
| BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6, and 2.5-alpha-1 contain Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji status for other users. Moderators should only be able to set none as the status of other users. This issue is patched in 2.4-rc-6 and 2.5-alpha-1There are no workarounds. | ||||
| CVE-2022-41960 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-03 | 4.3 Medium |
| BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds. | ||||
| CVE-2022-31064 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-03 | 6.5 Medium |
| BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue. | ||||
| CVE-2022-31065 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-03 | 6.5 Medium |
| BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue. | ||||
| CVE-2022-31039 | 1 Bigbluebutton | 1 Greenlight | 2024-08-03 | 4.3 Medium |
| Greenlight is a simple front-end interface for your BigBlueButton server. In affected versions an attacker can view any room's settings even though they are not authorized to do so. Only the room owner and administrator should be able to view a room's settings. This issue has been patched in release version 2.12.6. | ||||
| CVE-2022-29232 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-03 | 6.5 Medium |
| BigBlueButton is an open source web conferencing system. Starting with version 2.2 and prior to versions 2.3.9 and 2.4-beta-1, an attacker can circumvent access controls to obtain the content of public chat messages from different meetings on the server. The attacker must be a participant in a meeting on the server. BigBlueButton versions 2.3.9 and 2.4-beta-1 contain a patch for this issue. There are currently no known workarounds. | ||||
| CVE-2022-29236 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-03 | 4.3 Medium |
| BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds. | ||||
| CVE-2022-29235 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-03 | 5.3 Medium |
| BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the current timestamp and play/pause. The problem has been patched in versions 2.3.18 and 2.4-rc-6 by modifying the stream to send the data only for users in the meeting. There are currently no known workarounds. | ||||
| CVE-2022-29234 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-08-03 | 4.3 Medium |
| BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s any lock setting in the meeting was changed. The attacker needs to be a participant in the meeting. Versions 2.3.18 and 2.4.1 contain a patch for this issue. There are currently no known workarounds. | ||||