CVE-2020-27604

Published: Oct 21, 2020Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.

Affected (1)

Products: Bigbluebutton: Bigbluebutton

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Bigbluebutton Bigbluebutton	Before 2.2.8

Related CWEs

Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

References (4)

https://docs.bigbluebutton.org/dev/api.html

Source: cve@mitre.org

Product

https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html

Source: cve@mitre.org

ExploitThird Party Advisory

https://docs.bigbluebutton.org/dev/api.html

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.