Bigbluebutton: >> Bigbluebutton >> 2.2.18 Security Vulnerabilities
Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window.
CVSS Score
4.3
EPSS Score
0.002
Published
2020-10-21
The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access.
CVSS Score
8.4
EPSS Score
0.0
Published
2020-10-21
BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.
CVSS Score
7.5
EPSS Score
0.263
Published
2020-10-21
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.
CVSS Score
6.5
EPSS Score
0.04
Published
2020-10-21
Page 4