Filtered by vendor Bigbluebutton
Subscribe
Search
Total
8 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-12112 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-07-10 | 5.0 MEDIUM | 7.5 HIGH |
| BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion. | |||||
| CVE-2020-27611 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-06-15 | 7.5 HIGH | 7.3 HIGH |
| BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint. | |||||
| CVE-2022-29169 | 1 Bigbluebutton | 1 Bigbluebutton | 2022-06-09 | 5.0 MEDIUM | 7.5 HIGH |
| BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service for the bbb-html5 service. The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). This function handles input by regexing and attackers can abuse that by providing some ReDos payload using `SmartWatch`. The maintainers removed `htmlclient/useragent` from versions 2.3.19, 2.4.7, and 2.5.0-beta.2. As a workaround, disable NginX forwarding the requests to the handler according to the directions in the GitHub Security Advisory. | |||||
| CVE-2020-27610 | 1 Bigbluebutton | 1 Bigbluebutton | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access. | |||||
| CVE-2020-29043 | 1 Bigbluebutton | 1 Bigbluebutton | 2021-07-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name. | |||||
| CVE-2020-27603 | 1 Bigbluebutton | 1 Bigbluebutton | 2020-10-29 | 5.0 MEDIUM | 7.5 HIGH |
| BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files. | |||||
| CVE-2020-27613 | 1 Bigbluebutton | 1 Bigbluebutton | 2020-10-29 | 4.6 MEDIUM | 8.4 HIGH |
| The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access. | |||||
| CVE-2020-26163 | 1 Bigbluebutton | 1 Greenlight | 2020-10-15 | 6.8 MEDIUM | 8.8 HIGH |
| BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a victim follows a spoofed password-reset link. | |||||