Filtered by vendor Bigbluebutton
Subscribe
Total
47 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-27604 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting. | |||||
| CVE-2020-27609 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant. | |||||
| CVE-2020-27612 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window. | |||||
| CVE-2020-27606 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | |||||
| CVE-2020-12112 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 5.0 MEDIUM | 7.5 HIGH |
| BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion. | |||||
| CVE-2020-12443 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to bigbluebutton.properties. NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive. | |||||
| CVE-2020-12113 | 1 Bigbluebutton | 1 Bigbluebutton | 2024-02-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used. | |||||