CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Bigbluebutton » Bigbluebutton » * * * * : Security Vulnerabilities

Cpe Name:cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*
Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2022-31065 79 XSS 2022-06-27 2022-07-07
4.3
None Remote Medium Not required None Partial None
BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.
2 CVE-2022-31064 79 XSS 2022-06-27 2022-07-07
2.1
None Remote High ??? None Partial None
BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.
3 CVE-2022-29236 285 2022-06-02 2022-06-09
4.0
None Remote Low ??? Partial None None
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and up to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds.
4 CVE-2022-29235 200 +Info 2022-06-02 2022-06-09
4.3
None Remote Medium Not required Partial None None
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and up to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the current timestamp and play/pause. The problem has been patched in versions 2.3.18 and 2.4-rc-6 by modifying the stream to send the data only for users in the meeting. There are currently no known workarounds.
5 CVE-2022-29234 285 2022-06-02 2022-06-09
4.0
None Remote Low ??? None Partial None
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and up to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s after the lock setting was enacted. The attacker needs to be a participant in the meeting. Versions 2.3.18 and 2.4.1 contain a patch for this issue. There are currently no known workarounds.
6 CVE-2022-29233 285 2022-06-02 2022-06-09
5.0
None Remote Low Not required Partial None None
BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds.
7 CVE-2022-29232 200 +Info 2022-06-01 2022-06-09
4.0
None Remote Low ??? Partial None None
BigBlueButton is an open source web conferencing system. Starting with version 2.2 and prior to versions 2.3.9 and 2.4-beta-1, an attacker can circumvent access controls to obtain the content of public chat messages from different meetings on the server. The attacker must be a participant in a meeting on the server. BigBlueButton versions 2.3.9 and 2.4-beta-1 contain a patch for this issue. There are currently no known workarounds.
8 CVE-2022-29169 20 DoS 2022-06-01 2022-06-09
5.0
None Remote Low Not required None None Partial
BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service for the bbb-html5 service. The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). This function handles input by regexing and attackers can abuse that by providing some ReDos payload using `SmartWatch`. The maintainers removed `htmlclient/useragent` from versions 2.3.19, 2.4.7, and 2.5.0-beta.2. As a workaround, disable NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory.
9 CVE-2022-27238 79 XSS 2022-06-24 2022-07-05
3.5
None Remote Medium ??? None Partial None
BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed.
10 CVE-2021-4143 79 XSS 2022-01-19 2022-01-25
4.3
None Remote Medium Not required None Partial None
Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0.
11 CVE-2020-29043 862 2020-11-26 2021-07-21
5.0
None Remote Low Not required None Partial None
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.
12 CVE-2020-29042 307 2020-11-26 2020-11-29
4.3
None Remote Medium Not required Partial None None
An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.
13 CVE-2020-28954 116 2020-11-19 2020-11-29
5.0
None Remote Low Not required None Partial None
web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.
14 CVE-2020-28953 732 2020-11-19 2021-07-21
4.0
None Remote Low ??? None Partial None
In BigBlueButton before 2.2.29, a user can vote more than once in a single poll.
15 CVE-2020-27613 312 2020-10-21 2020-10-29
4.6
None Local Low Not required Partial Partial Partial
The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access.
16 CVE-2020-27612 200 +Info 2020-10-21 2020-10-29
4.0
None Remote Low ??? Partial None None
Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window.
17 CVE-2020-27611 327 2020-10-21 2022-06-15
7.5
None Remote Low Not required Partial Partial Partial
BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint.
18 CVE-2020-27610 200 +Info 2020-10-21 2021-07-21
5.0
None Remote Low Not required Partial None None
The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access.
19 CVE-2020-27609 863 2020-10-21 2020-10-29
5.0
None Remote Low Not required None Partial None
BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.
20 CVE-2020-27608 79 XSS 2020-10-21 2020-10-29
4.3
None Remote Medium Not required None Partial None
In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
21 CVE-2020-27607 2020-10-21 2020-10-29
6.4
None Remote Low Not required Partial Partial None
In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or transmit it to one or more meeting participants or other third parties.
22 CVE-2020-27606 2020-10-21 2020-10-29
5.0
None Remote Low Not required Partial None None
BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
23 CVE-2020-27605 2020-10-21 2020-10-29
7.5
None Remote Low Not required Partial Partial Partial
BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
24 CVE-2020-27604 116 2020-10-21 2020-10-30
4.0
None Remote Low ??? Partial None None
BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.
25 CVE-2020-27603 2020-10-21 2020-10-29
5.0
None Remote Low Not required Partial None None
BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.
26 CVE-2020-25820 918 2020-10-21 2020-10-29
4.0
None Remote Low ??? Partial None None
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.
27 CVE-2020-12443 22 Dir. Trav. 2020-04-29 2020-05-06
7.5
None Remote Low Not required Partial Partial Partial
BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to bigbluebutton.properties. NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive.
28 CVE-2020-12113 79 XSS 2020-04-23 2020-09-30
4.3
None Remote Medium Not required None Partial None
BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used.
29 CVE-2020-12112 22 Dir. Trav. File Inclusion 2020-04-23 2022-07-10
5.0
None Remote Low Not required Partial None None
BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion.
Total number of vulnerabilities : 29   Page : 1 (This Page)
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.