VYPR

Vendor CVEs

Bigbluebutton

All CVEs

54 total · sorted by risk
  • CVE-2023-7296MedOct 16, 2024
    risk 0.42cvss 6.4epss 0.00

    The BigBlueButton plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the moderator code and viewer code fields in versions up to, and including, 3.0.0-beta.4 due to insufficient input sanitization and output escaping. This makes it possible for…

  • CVE-2026-27737MedMay 18, 2026
    risk 0.35cvss 6.5epss 0.00

    BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.19, the recording playback (presentation format) was not sanitizing user's input in public chat. This allowed for a malicious actor to craft and carry out a targeted XSS attack, activated on anyone…

  • CVE-2026-41127MedApr 22, 2026
    risk 0.35cvss 6.5epss 0.00

    BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have a missing authorization that allows viewers to inject/overwrite captions Version 3.0.24 tightened the permissions on who is able to submit captions. No known workarounds are available.

  • CVE-2024-38518MedJun 28, 2024
    risk 0.23cvss 4.6epss 0.00

    BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be…

  • CVE-2026-41126MedApr 22, 2026
    risk 0.21cvss 4.3epss 0.00

    BigBlueButton is an open-source virtual classroom. Versions prior to 3.0.24 have an Open Redirect through bigbluebutton/api/join via get-parameter "logoutURL." Version 3.0.24 has adjusted the handling of requests with incorrect checksum so that the default logoutURL is used. No…

  • CVE-2024-39302LowJun 28, 2024
    risk 0.17cvss 3.7epss 0.00

    BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker may be able to exploit the overly elevated file permissions in the `/usr/local/bigbluebutton/core/vendor/bundle/ruby/2.7.0/gems/resque-2.6.0` directory with the goal…

  • CVE-2020-25820Oct 21, 2020
    risk 0.04cvss epss 0.09

    BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.

  • CVE-2020-27603Oct 21, 2020
    risk 0.02cvss epss 0.03

    BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.

  • CVE-2020-12112Apr 23, 2020
    risk 0.01cvss epss 0.05

    BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion.

  • CVE-2026-27736Feb 25, 2026
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20…

  • CVE-2026-27467Feb 21, 2026
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. In versions 3.0.19 and below, when first joining a session with the microphone muted, the client sends audio to the server regardless of mute state. Media is discarded at the server side, so it isn't audible to any participants,…

  • CVE-2026-27466Feb 21, 2026
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. In versions 3.0.21 and below, the official documentation for "Server Customization" on Support for ClamAV as presentation file scanner contains instructions that leave a BBB server vulnerable for Denial of Service. The flawed…

  • CVE-2025-61602Oct 9, 2025
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. A denial-of-service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to crash the chat functionality for all participants in a meeting by sending a malformed `reactionEmojiId` in the GraphQL mutation…

  • CVE-2025-61601Oct 9, 2025
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. A Denial of Service (DoS) vulnerability in versions prior to 3.0.13 allows any authenticated user to freeze or crash the entire server by abusing the polling feature's `Choices` response type. By submitting a malicious payload…

  • CVE-2025-55200Oct 9, 2025
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. In versions prior to 3.0.13, the "Shared Notes" feature contains a Stored Cross-Site Scripting (XSS) vulnerability with the input location being the "Username" field and the output location on the "Shared Notes" page, when a…

  • CVE-2023-43798Oct 30, 2023
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. BigBlueButton prior to versions 2.6.12 and 2.7.0-rc.1 is vulnerable to Server-Side Request Forgery (SSRF). This issue is a bypass of CVE-2023-33176. A patch in versions 2.6.12 and 2.7.0-rc.1 disabled follow redirect at…

  • CVE-2023-43797Oct 30, 2023
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. Prior to versions 2.6.11 and 2.7.0-beta.3, Guest Lobby was vulnerable to cross-site scripting when users wait to enter the meeting due to inserting unsanitized messages to the element using unsafe innerHTML. Text sanitizing was…

  • CVE-2023-42804Oct 30, 2023
    risk 0.00cvss epss 0.00

    BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain…

  • CVE-2023-42803Oct 30, 2023
    risk 0.00cvss epss 0.01

    BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of…

  • CVE-2023-33176Jun 26, 2023
    risk 0.00cvss epss 0.00

    BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery (SSRF) vulnerability. In an `insertDocument` API request the user is able to supply a URL from which the…

  • CVE-2022-23488Dec 17, 2022
    risk 0.00cvss epss 0.01

    BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers'…

  • CVE-2022-23490Dec 16, 2022
    risk 0.00cvss epss 0.00

    BigBlueButton is an open source web conferencing system. Versions prior to 2.4.0 expose sensitive information to Unauthorized Actors. This issue affects meetings with polls, where the attacker is a meeting participant. Subscribing to the current-poll collection does not update…

  • CVE-2022-41964Dec 16, 2022
    risk 0.00cvss epss 0.01

    BigBlueButton is an open source web conferencing system. This vulnerability only affects release candidates of BigBlueButton 2.4. The attacker can start a subscription for poll results before starting an anonymous poll, and use this subscription to see individual responses in…

  • CVE-2022-41963Dec 16, 2022
    risk 0.00cvss epss 0.00

    BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access is revoked. The…

  • CVE-2022-41962Dec 16, 2022
    risk 0.00cvss epss 0.01

    BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6, and 2.5-alpha-1 contain Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji status for other users. Moderators should…

  • CVE-2022-41961Dec 16, 2022
    risk 0.00cvss epss 0.00

    BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the…

  • CVE-2022-41960Dec 15, 2022
    risk 0.00cvss epss 0.00

    BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an…

  • CVE-2022-31064Jun 27, 2022
    risk 0.00cvss epss 0.01

    BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the…

  • CVE-2022-31065Jun 27, 2022
    risk 0.00cvss epss 0.01

    BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript),…

  • CVE-2022-27238Jun 24, 2022
    risk 0.00cvss epss 0.00

    BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends…

  • CVE-2022-29235Jun 1, 2022
    risk 0.00cvss epss 0.01

    BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the…

  • CVE-2022-29236Jun 1, 2022
    risk 0.00cvss epss 0.01

    BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a…

  • CVE-2022-29234Jun 1, 2022
    risk 0.00cvss epss 0.01

    BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s any lock setting in the meeting was changed. The attacker needs to be a…

  • CVE-2022-29233Jun 1, 2022
    risk 0.00cvss epss 0.01

    BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of…

  • CVE-2022-29232Jun 1, 2022
    risk 0.00cvss epss 0.01

    BigBlueButton is an open source web conferencing system. Starting with version 2.2 and prior to versions 2.3.9 and 2.4-beta-1, an attacker can circumvent access controls to obtain the content of public chat messages from different meetings on the server. The attacker must be a…

  • CVE-2022-29169Jun 1, 2022
    risk 0.00cvss epss 0.01

    BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service…

  • CVE-2021-4143Jan 19, 2022
    risk 0.00cvss epss 0.01

    Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0.

  • CVE-2020-29042Nov 26, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.

  • CVE-2020-29043Nov 26, 2020
    risk 0.00cvss epss 0.01

    An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.

  • CVE-2020-28953Nov 19, 2020
    risk 0.00cvss epss 0.01

    In BigBlueButton before 2.2.29, a user can vote more than once in a single poll.

  • CVE-2020-28954Nov 19, 2020
    risk 0.00cvss epss 0.01

    web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.

  • CVE-2020-27601Oct 21, 2020
    risk 0.00cvss epss 0.01

    In BigBlueButton before 2.2.7, lockSettingsProps.disablePrivateChat does not apply to already opened chats. This occurs in bigbluebutton-html5/imports/ui/components/chat/service.js.

  • CVE-2020-27604Oct 21, 2020
    risk 0.00cvss epss 0.01

    BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an…

  • CVE-2020-27605Oct 21, 2020
    risk 0.00cvss epss 0.01

    BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."

  • CVE-2020-27607Oct 21, 2020
    risk 0.00cvss epss 0.01

    In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store…

  • CVE-2020-27609Oct 21, 2020
    risk 0.00cvss epss 0.01

    BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.

  • CVE-2020-27611Oct 21, 2020
    risk 0.00cvss epss 0.01

    BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint.

  • CVE-2020-27613Oct 21, 2020
    risk 0.00cvss epss 0.00

    The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access.

  • CVE-2020-27610Oct 21, 2020
    risk 0.00cvss epss 0.01

    The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access.

  • CVE-2020-27608Oct 21, 2020
    risk 0.00cvss epss 0.01

    In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.

Page 1 of 2