Bigbluebutton

bigbluebutton

Vendor: Bigbluebutton • 49 CVEs

CVEs (49)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-27607 1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Oct 21, 2020 N/A· v4 6.5 MEDIUM· v3 6.4 MEDIUM· v2 In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio da...Show more In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or transmit it to one or more meeting participants or other third parties.Show less
CVE-2020-27606 1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Oct 21, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within...Show more BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.Show less
CVE-2020-27605 1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Oct 21, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVE-2020-27604 1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Oct 21, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret,...Show more BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.Show less
CVE-2020-27603 1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Oct 21, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.
CVE-2020-25820 1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Oct 21, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.
CVE-2020-12443 1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Apr 29, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be lever...Show more BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to bigbluebutton.properties. NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive.Show less
CVE-2020-12113 1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Apr 23, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used.
CVE-2020-12112 1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Apr 23, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion.

Previous 1 23