Filtered by vendor Bigbluebutton
Subscriptions
Total
49 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2023-33176 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 4.8 Medium |
| BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the presentation should be downloaded. This URL was being used without having been successfully validated first. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs to be used for presentation download. Two new properties `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` have also been added to `bigbluebutton.properties` to allow administrators to define what protocols a URL must use and to explicitly define hosts that a presentation cannot be downloaded from. All URLs passed to `insertDocument` must conform to the requirements of the two previously mentioned properties. Additionally, these URLs must resolve to valid addresses, and these addresses must not be local or loopback addresses. There are no workarounds. Users are advised to upgrade to a patched version of BigBlueButton. | ||||
| CVE-2022-29236 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 4.3 Medium |
| BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds. | ||||
| CVE-2022-29235 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 5.3 Medium |
| BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the current timestamp and play/pause. The problem has been patched in versions 2.3.18 and 2.4-rc-6 by modifying the stream to send the data only for users in the meeting. There are currently no known workarounds. | ||||
| CVE-2022-27238 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 5.4 Medium |
| BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed. | ||||
| CVE-2022-26497 | 1 Bigbluebutton | 1 Greenlight | 2024-11-21 | 5.4 Medium |
| BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the "Share room access" dialog if the victim has shared access to the particular room with the attacker previously. | ||||
| CVE-2021-4143 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 6.1 Medium |
| Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0. | ||||
| CVE-2020-29043 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 7.5 High |
| An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name. | ||||
| CVE-2020-29042 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 3.7 Low |
| An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code. | ||||
| CVE-2020-28954 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 5.3 Medium |
| web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name. | ||||
| CVE-2020-28953 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 4.3 Medium |
| In BigBlueButton before 2.2.29, a user can vote more than once in a single poll. | ||||
| CVE-2020-27642 | 1 Bigbluebutton | 1 Greenlight | 2024-11-21 | 6.1 Medium |
| A cross-site scripting (XSS) vulnerability exists in the 'merge account' functionality in admins.js in BigBlueButton Greenlight 2.7.6. | ||||
| CVE-2020-27613 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 8.4 High |
| The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access. | ||||
| CVE-2020-27612 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 4.3 Medium |
| Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window. | ||||
| CVE-2020-27611 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 7.3 High |
| BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint. | ||||
| CVE-2020-27610 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 7.5 High |
| The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access. | ||||
| CVE-2020-27609 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 5.3 Medium |
| BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant. | ||||
| CVE-2020-27608 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 6.1 Medium |
| In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document. | ||||
| CVE-2020-27607 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 6.5 Medium |
| In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or transmit it to one or more meeting participants or other third parties. | ||||
| CVE-2020-27606 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 5.3 Medium |
| BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | ||||
| CVE-2020-27605 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-11-21 | 9.8 Critical |
| BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox." | ||||