Bigbluebutton
Source repositories
CVEs (54)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2022-23488 | 0.00 | — | 0.01 | Dec 17, 2022 | BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers'… | |||
| CVE-2022-23490 | 0.00 | — | 0.00 | Dec 16, 2022 | BigBlueButton is an open source web conferencing system. Versions prior to 2.4.0 expose sensitive information to Unauthorized Actors. This issue affects meetings with polls, where the attacker is a meeting participant. Subscribing to the current-poll collection does not update… | |||
| CVE-2022-41964 | 0.00 | — | 0.01 | Dec 16, 2022 | BigBlueButton is an open source web conferencing system. This vulnerability only affects release candidates of BigBlueButton 2.4. The attacker can start a subscription for poll results before starting an anonymous poll, and use this subscription to see individual responses in… | |||
| CVE-2022-41963 | 0.00 | — | 0.00 | Dec 16, 2022 | BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access is revoked. The… | |||
| CVE-2022-41962 | 0.00 | — | 0.01 | Dec 16, 2022 | BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6, and 2.5-alpha-1 contain Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji status for other users. Moderators should… | |||
| CVE-2022-41961 | 0.00 | — | 0.00 | Dec 16, 2022 | BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the… | |||
| CVE-2022-41960 | 0.00 | — | 0.00 | Dec 15, 2022 | BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an… | |||
| CVE-2022-31064 | 0.00 | — | 0.01 | Jun 27, 2022 | BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the… | |||
| CVE-2022-31065 | 0.00 | — | 0.01 | Jun 27, 2022 | BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript),… | |||
| CVE-2022-27238 | 0.00 | — | 0.00 | Jun 24, 2022 | BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends… | |||
| CVE-2022-29235 | 0.00 | — | 0.01 | Jun 1, 2022 | BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the… | |||
| CVE-2022-29236 | 0.00 | — | 0.01 | Jun 1, 2022 | BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a… | |||
| CVE-2022-29234 | 0.00 | — | 0.01 | Jun 1, 2022 | BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s any lock setting in the meeting was changed. The attacker needs to be a… | |||
| CVE-2022-29233 | 0.00 | — | 0.01 | Jun 1, 2022 | BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of… | |||
| CVE-2022-29232 | 0.00 | — | 0.01 | Jun 1, 2022 | BigBlueButton is an open source web conferencing system. Starting with version 2.2 and prior to versions 2.3.9 and 2.4-beta-1, an attacker can circumvent access controls to obtain the content of public chat messages from different meetings on the server. The attacker must be a… | |||
| CVE-2022-29169 | 0.00 | — | 0.01 | Jun 1, 2022 | BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service… | |||
| CVE-2021-4143 | 0.00 | — | 0.01 | Jan 19, 2022 | Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0. | |||
| CVE-2020-29042 | 0.00 | — | 0.01 | Nov 26, 2020 | An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code. | |||
| CVE-2020-29043 | 0.00 | — | 0.01 | Nov 26, 2020 | An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name. | |||
| CVE-2020-28953 | 0.00 | — | 0.01 | Nov 19, 2020 | In BigBlueButton before 2.2.29, a user can vote more than once in a single poll. |
- CVE-2022-23488Dec 17, 2022risk 0.00cvss —epss 0.01
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers'…
- CVE-2022-23490Dec 16, 2022risk 0.00cvss —epss 0.00
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.0 expose sensitive information to Unauthorized Actors. This issue affects meetings with polls, where the attacker is a meeting participant. Subscribing to the current-poll collection does not update…
- CVE-2022-41964Dec 16, 2022risk 0.00cvss —epss 0.01
BigBlueButton is an open source web conferencing system. This vulnerability only affects release candidates of BigBlueButton 2.4. The attacker can start a subscription for poll results before starting an anonymous poll, and use this subscription to see individual responses in…
- CVE-2022-41963Dec 16, 2022risk 0.00cvss —epss 0.00
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access is revoked. The…
- CVE-2022-41962Dec 16, 2022risk 0.00cvss —epss 0.01
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6, and 2.5-alpha-1 contain Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji status for other users. Moderators should…
- CVE-2022-41961Dec 16, 2022risk 0.00cvss —epss 0.00
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the…
- CVE-2022-41960Dec 15, 2022risk 0.00cvss —epss 0.00
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an…
- CVE-2022-31064Jun 27, 2022risk 0.00cvss —epss 0.01
BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the…
- CVE-2022-31065Jun 27, 2022risk 0.00cvss —epss 0.01
BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript),…
- CVE-2022-27238Jun 24, 2022risk 0.00cvss —epss 0.00
BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends…
- CVE-2022-29235Jun 1, 2022risk 0.00cvss —epss 0.01
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the…
- CVE-2022-29236Jun 1, 2022risk 0.00cvss —epss 0.01
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a…
- CVE-2022-29234Jun 1, 2022risk 0.00cvss —epss 0.01
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s any lock setting in the meeting was changed. The attacker needs to be a…
- CVE-2022-29233Jun 1, 2022risk 0.00cvss —epss 0.01
BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of…
- CVE-2022-29232Jun 1, 2022risk 0.00cvss —epss 0.01
BigBlueButton is an open source web conferencing system. Starting with version 2.2 and prior to versions 2.3.9 and 2.4-beta-1, an attacker can circumvent access controls to obtain the content of public chat messages from different meetings on the server. The attacker must be a…
- CVE-2022-29169Jun 1, 2022risk 0.00cvss —epss 0.01
BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service…
- CVE-2021-4143Jan 19, 2022risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0.
- CVE-2020-29042Nov 26, 2020risk 0.00cvss —epss 0.01
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.
- CVE-2020-29043Nov 26, 2020risk 0.00cvss —epss 0.01
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.
- CVE-2020-28953Nov 19, 2020risk 0.00cvss —epss 0.01
In BigBlueButton before 2.2.29, a user can vote more than once in a single poll.
Page 2 of 3