Bigbluebutton
Source repositories
CVEs (54)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-28954 | 0.00 | — | 0.01 | Nov 19, 2020 | web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name. | |||
| CVE-2020-27601 | 0.00 | — | 0.01 | Oct 21, 2020 | In BigBlueButton before 2.2.7, lockSettingsProps.disablePrivateChat does not apply to already opened chats. This occurs in bigbluebutton-html5/imports/ui/components/chat/service.js. | |||
| CVE-2020-27604 | 0.00 | — | 0.01 | Oct 21, 2020 | BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an… | |||
| CVE-2020-27605 | 0.00 | — | 0.01 | Oct 21, 2020 | BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox." | |||
| CVE-2020-27607 | 0.00 | — | 0.01 | Oct 21, 2020 | In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store… | |||
| CVE-2020-27609 | 0.00 | — | 0.01 | Oct 21, 2020 | BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant. | |||
| CVE-2020-27611 | 0.00 | — | 0.01 | Oct 21, 2020 | BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint. | |||
| CVE-2020-27613 | 0.00 | — | 0.00 | Oct 21, 2020 | The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access. | |||
| CVE-2020-27610 | 0.00 | — | 0.01 | Oct 21, 2020 | The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access. | |||
| CVE-2020-27608 | 0.00 | — | 0.01 | Oct 21, 2020 | In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document. | |||
| CVE-2020-27606 | 0.00 | — | 0.01 | Oct 21, 2020 | BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | |||
| CVE-2020-27602 | 0.00 | — | 0.01 | Oct 21, 2020 | BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken. | |||
| CVE-2020-12443 | 0.00 | — | 0.04 | Apr 29, 2020 | BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to… | |||
| CVE-2020-12113 | 0.00 | — | 0.01 | Apr 23, 2020 | BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used. |
- CVE-2020-28954Nov 19, 2020risk 0.00cvss —epss 0.01
web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.
- CVE-2020-27601Oct 21, 2020risk 0.00cvss —epss 0.01
In BigBlueButton before 2.2.7, lockSettingsProps.disablePrivateChat does not apply to already opened chats. This occurs in bigbluebutton-html5/imports/ui/components/chat/service.js.
- CVE-2020-27604Oct 21, 2020risk 0.00cvss —epss 0.01
BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an…
- CVE-2020-27605Oct 21, 2020risk 0.00cvss —epss 0.01
BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
- CVE-2020-27607Oct 21, 2020risk 0.00cvss —epss 0.01
In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store…
- CVE-2020-27609Oct 21, 2020risk 0.00cvss —epss 0.01
BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.
- CVE-2020-27611Oct 21, 2020risk 0.00cvss —epss 0.01
BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint.
- CVE-2020-27613Oct 21, 2020risk 0.00cvss —epss 0.00
The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access.
- CVE-2020-27610Oct 21, 2020risk 0.00cvss —epss 0.01
The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access.
- CVE-2020-27608Oct 21, 2020risk 0.00cvss —epss 0.01
In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
- CVE-2020-27606Oct 21, 2020risk 0.00cvss —epss 0.01
BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
- CVE-2020-27602Oct 21, 2020risk 0.00cvss —epss 0.01
BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken.
- CVE-2020-12443Apr 29, 2020risk 0.00cvss —epss 0.04
BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to…
- CVE-2020-12113Apr 23, 2020risk 0.00cvss —epss 0.01
BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used.
Page 3 of 3