Vulnerabilities (CVE)

Filtered by vendor Bigbluebutton Subscribe
Filtered by product Bigbluebutton
Total 43 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-23488 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 N/A 6.5 MEDIUM
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds.
CVE-2021-4143 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0.
CVE-2020-29043 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 5.0 MEDIUM 7.5 HIGH
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.
CVE-2020-29042 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 4.3 MEDIUM 3.7 LOW
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.
CVE-2020-28954 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.
CVE-2020-28953 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
In BigBlueButton before 2.2.29, a user can vote more than once in a single poll.
CVE-2020-27613 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 4.6 MEDIUM 8.4 HIGH
The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access.
CVE-2020-27612 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 4.0 MEDIUM 4.3 MEDIUM
Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window.
CVE-2020-27611 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 7.5 HIGH 7.3 HIGH
BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint.
CVE-2020-27610 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 5.0 MEDIUM 7.5 HIGH
The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access.
CVE-2020-27609 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.
CVE-2020-27608 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
CVE-2020-27607 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 6.4 MEDIUM 6.5 MEDIUM
In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or transmit it to one or more meeting participants or other third parties.
CVE-2020-27606 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 5.0 MEDIUM 5.3 MEDIUM
BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
CVE-2020-27605 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 7.5 HIGH 9.8 CRITICAL
BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
CVE-2020-27604 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.
CVE-2020-27603 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 5.0 MEDIUM 7.5 HIGH
BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.
CVE-2020-27602 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 N/A 9.8 CRITICAL
BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken.
CVE-2020-27601 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 N/A 3.5 LOW
In BigBlueButton before 2.2.7, lockSettingsProps.disablePrivateChat does not apply to already opened chats. This occurs in bigbluebutton-html5/imports/ui/components/chat/service.js.
CVE-2020-25820 1 Bigbluebutton 1 Bigbluebutton 2024-11-21 4.0 MEDIUM 6.5 MEDIUM
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.