VYPR

Bigbluebutton

by Bigbluebutton

Source repositories

CVEs (54)

  • CVE-2023-7296MedOct 16, 2024
    risk 0.42cvss 6.4epss 0.00

    The BigBlueButton plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the moderator code and viewer code fields in versions up to, and including, 3.0.0-beta.4 due to insufficient input sanitization and output escaping. This makes it possible for…

  • CVE-2026-27737MedMay 18, 2026
    risk 0.35cvss 6.5epss 0.00

    BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone…

  • CVE-2026-41127MedApr 22, 2026
    risk 0.35cvss 6.5epss 0.00

    BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have a missing authorization that allows viewers to inject/overwrite captions Version 3.0.24 tightened the permissions on who is able to submit captions. No known workarounds are available.

  • CVE-2024-38518MedJun 28, 2024
    risk 0.23cvss 4.6epss 0.00

    BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be…

  • CVE-2026-41126MedApr 22, 2026
    risk 0.21cvss 4.3epss 0.00

    BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL." Version 3.0.24 has adjusted the handling of requests with incorrect checksum so that the default logoutURL is used. No…

  • CVE-2024-39302LowJun 28, 2024
    risk 0.17cvss 3.7epss 0.00

    BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` directory with the goal…

  • CVE-2020-25820Oct 21, 2020
    risk 0.04cvss epss 0.09

    BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.

  • CVE-2020-27603Oct 21, 2020
    risk 0.02cvss epss 0.03

    BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.

  • CVE-2020-12112Apr 23, 2020
    risk 0.01cvss epss 0.05

    BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion.

  • CVE-2026-27736Feb 25, 2026
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20…

  • CVE-2026-27467Feb 21, 2026
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. In versions 3.0.19 and below, when first joining a session with the microphone muted, the client sends audio to the server regardless of mute state. Media is discarded at the server side, so it isn't audible to any participants,…

  • CVE-2026-27466Feb 21, 2026
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. In versions 3.0.21 and below, the official documentation for "Server Customization" on Support for ClamAV as presentation file scanner contains instructions that leave a BBB server vulnerable for Denial of Service. The flawed…

  • CVE-2025-61602Oct 9, 2025
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. A denial-of-service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed `reactionEmojiId` in the GraphQL mutation…

  • CVE-2025-61601Oct 9, 2025
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's `Choices` response type. By submitting a malicious payload…

  • CVE-2025-55200Oct 9, 2025
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.13, the "Shared Notes" feature contains a Stored Cross-Site Scripting (XSS) vulnerability with the input location being the "Username" field and the output location on the "Shared Notes" page, when a…

  • CVE-2023-43798Oct 30, 2023
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at…

  • CVE-2023-43797Oct 30, 2023
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was…

  • CVE-2023-42804Oct 30, 2023
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain…

  • CVE-2023-42803Oct 30, 2023
    risk 0.00cvss epss 0.01

    BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of…

  • CVE-2023-33176Jun 26, 2023
    risk 0.00cvss epss 0.00

    BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the…

Page 1 of 3