Bigbluebutton: >> Bigbluebutton >> 0.7 Security Vulnerabilities
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds.
CVSS Score
4.3
EPSS Score
0.0
Published
2022-12-16
In BigBlueButton before 2.2.7, lockSettingsProps.disablePrivateChat does not apply to already opened chats. This occurs in bigbluebutton-html5/imports/ui/components/chat/service.js.
CVSS Score
3.5
EPSS Score
0.003
Published
2022-09-29
BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken.
CVSS Score
9.8
EPSS Score
0.005
Published
2022-09-29
BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-06-24
Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0.
CVSS Score
8.1
EPSS Score
0.003
Published
2022-01-19
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.
CVSS Score
3.7
EPSS Score
0.003
Published
2020-11-26
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.
CVSS Score
7.5
EPSS Score
0.003
Published
2020-11-26
In BigBlueButton before 2.2.29, a user can vote more than once in a single poll.
CVSS Score
4.3
EPSS Score
0.002
Published
2020-11-19
web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.
CVSS Score
5.3
EPSS Score
0.004
Published
2020-11-19
BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVSS Score
9.8
EPSS Score
0.004
Published
2020-10-21