Bigbluebutton: >> Bigbluebutton >> 2.2.6 Security Vulnerabilities
BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.
CVSS Score
7.5
EPSS Score
0.263
Published
2020-10-21
BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.
CVSS Score
6.5
EPSS Score
0.002
Published
2020-10-21
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.
CVSS Score
6.5
EPSS Score
0.04
Published
2020-10-21
Page 5