Bigbluebutton: >> Bigbluebutton >> 1.1.0 Security Vulnerabilities
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.
CVSS Score
6.5
EPSS Score
0.04
Published
2020-10-21
BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to bigbluebutton.properties. NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive.
CVSS Score
9.8
EPSS Score
0.008
Published
2020-04-29
BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion.
CVSS Score
7.5
EPSS Score
0.39
Published
2020-04-23
BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used.
CVSS Score
6.1
EPSS Score
0.004
Published
2020-04-23
Page 4