Filtered by vendor Bigbluebutton
Subscribe
Total
47 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-31064 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 2.1 LOW | 5.4 MEDIUM |
BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue. | |||||
CVE-2022-27238 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed. | |||||
CVE-2022-29232 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
BigBlueButton is an open source web conferencing system. Starting with version 2.2 and prior to versions 2.3.9 and 2.4-beta-1, an attacker can circumvent access controls to obtain the content of public chat messages from different meetings on the server. The attacker must be a participant in a meeting on the server. BigBlueButton versions 2.3.9 and 2.4-beta-1 contain a patch for this issue. There are currently no known workarounds. | |||||
CVE-2022-29169 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service for the bbb-html5 service. The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). This function handles input by regexing and attackers can abuse that by providing some ReDos payload using `SmartWatch`. The maintainers removed `htmlclient/useragent` from versions 2.3.19, 2.4.7, and 2.5.0-beta.2. As a workaround, disable NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory. | |||||
CVE-2022-26497 | 1 Bigbluebutton | 1 Greenlight | 2024-02-28 | 3.5 LOW | 5.4 MEDIUM |
BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the "Share room access" dialog if the victim has shared access to the particular room with the attacker previously. | |||||
CVE-2021-4143 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0. | |||||
CVE-2020-26163 | 1 Bigbluebutton | 1 Greenlight | 2024-02-28 | 6.8 MEDIUM | 8.8 HIGH |
BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a victim follows a spoofed password-reset link. | |||||
CVE-2020-27611 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 7.5 HIGH | 7.3 HIGH |
BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint. | |||||
CVE-2020-27610 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access. | |||||
CVE-2020-29042 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 4.3 MEDIUM | 3.7 LOW |
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code. | |||||
CVE-2020-27603 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files. | |||||
CVE-2020-25820 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field. | |||||
CVE-2020-27605 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox." | |||||
CVE-2020-27613 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 4.6 MEDIUM | 8.4 HIGH |
The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access. | |||||
CVE-2020-28953 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
In BigBlueButton before 2.2.29, a user can vote more than once in a single poll. | |||||
CVE-2020-27642 | 1 Bigbluebutton | 1 Greenlight | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
A cross-site scripting (XSS) vulnerability exists in the 'merge account' functionality in admins.js in BigBlueButton Greenlight 2.7.6. | |||||
CVE-2020-28954 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name. | |||||
CVE-2020-29043 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name. | |||||
CVE-2020-27607 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 6.4 MEDIUM | 6.5 MEDIUM |
In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or transmit it to one or more meeting participants or other third parties. | |||||
CVE-2020-27608 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document. |