Vulnerabilities
Vulnerable Software
Bigbluebutton:  Security Vulnerabilities
Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window.
CVSS Score
4.3
EPSS Score
0.002
Published
2020-10-21
The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access.
CVSS Score
8.4
EPSS Score
0.0
Published
2020-10-21
BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.
CVSS Score
7.5
EPSS Score
0.263
Published
2020-10-21
BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.
CVSS Score
6.5
EPSS Score
0.002
Published
2020-10-21
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.
CVSS Score
6.5
EPSS Score
0.071
Published
2020-10-21
BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a victim follows a spoofed password-reset link.
CVSS Score
8.8
EPSS Score
0.005
Published
2020-09-30
BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to bigbluebutton.properties. NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive.
CVSS Score
9.8
EPSS Score
0.008
Published
2020-04-29
BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion.
CVSS Score
7.5
EPSS Score
0.39
Published
2020-04-23
BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used.
CVSS Score
6.1
EPSS Score
0.004
Published
2020-04-23


Contact Us

Shodan ® - All rights reserved