Bigbluebutton
bigbluebutton
55 CVEs • 2 products
Products (2)
Click to collapseToggle
Products (2)
Click to collapse
CVEs (55)
CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS |
|---|
1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Oct 21, 2020 N/A· v4 4.3 MEDIUM· v3 4.0 MEDIUM· v2 Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a...Show more |
BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint. |
The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access. |
1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Oct 21, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participan...Show more |
1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Oct 21, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document. |
1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Oct 21, 2020 N/A· v4 6.5 MEDIUM· v3 6.4 MEDIUM· v2 In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio da...Show more |
1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Oct 21, 2020 N/A· v4 5.3 MEDIUM· v3 5.0 MEDIUM· v2 BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within...Show more |
1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Oct 21, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox." |
1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Oct 21, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret,...Show more |
BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files. |
1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Oct 21, 2020 N/A· v4 6.5 MEDIUM· v3 4.0 MEDIUM· v2 BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field. |
BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a victim follows a spoofed password-reset link. |
1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Apr 29, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be lever...Show more |
1Bigbluebutton 1Bigbluebutton Nov 21, 2024 Apr 23, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used. |
BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion. |