Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Bigbluebutton Subscribe
Total 42 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2022-23490 1 Bigbluebutton 1 Bigbluebutton 2022-12-22 N/A 4.3 MEDIUM
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.0 expose sensitive information to Unauthorized Actors. This issue affects meetings with polls, where the attacker is a meeting participant. Subscribing to the current-poll collection does not update the client UI, but does give the attacker access to the contents of the collection, which include the individual poll responses. This issue is patched in version 2.4.0. There are no workarounds.
CVE-2022-23488 1 Bigbluebutton 1 Bigbluebutton 2022-12-22 N/A 7.5 HIGH
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds.
CVE-2022-41964 1 Bigbluebutton 1 Bigbluebutton 2022-12-21 N/A 5.7 MEDIUM
BigBlueButton is an open source web conferencing system. This vulnerability only affects release candidates of BigBlueButton 2.4. The attacker can start a subscription for poll results before starting an anonymous poll, and use this subscription to see individual responses in the anonymous poll. The attacker had to be a meeting presenter. This issue is patched in version 2.4.0. There are no workarounds.
CVE-2022-41962 1 Bigbluebutton 1 Bigbluebutton 2022-12-20 N/A 2.7 LOW
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6, and 2.5-alpha-1 contain Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji status for other users. Moderators should only be able to set none as the status of other users. This issue is patched in 2.4-rc-6 and 2.5-alpha-1There are no workarounds.
CVE-2022-41961 1 Bigbluebutton 1 Bigbluebutton 2022-12-20 N/A 4.3 MEDIUM
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered users from the same extId. This issue has been fixed by improving permissions such that banning a user removes all users related to their extId, including registered users that have not joined the meeting. This issue is patched in versions 2.4-rc-6 and 2.5-alpha-1. There are no workarounds.
CVE-2022-41960 1 Bigbluebutton 1 Bigbluebutton 2022-12-20 N/A 4.3 MEDIUM
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to `validateAuthToken` using a victim's userId, meetingId, and an invalid authToken. This forces the victim to leave the conference, because the resulting verification failure is also observed and handled by the victim's client. The attacker must be a participant in any meeting on the server. This issue is patched in version 2.4.3. There are no workarounds.
CVE-2022-41963 1 Bigbluebutton 1 Bigbluebutton 2022-12-20 N/A 3.1 LOW
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3 contain a whiteboard grace period that exists to handle delayed messages, but this grace period could be used by attackers to take actions in the few seconds after their access is revoked. The attacker must be a meeting participant. This issue is patched in version 2.4.3 an version 2.5-alpha-1
CVE-2020-12112 1 Bigbluebutton 1 Bigbluebutton 2022-10-05 5.0 MEDIUM 7.5 HIGH
BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion.
CVE-2020-27602 1 Bigbluebutton 1 Bigbluebutton 2022-10-03 N/A 9.8 CRITICAL
BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken.
CVE-2020-27601 1 Bigbluebutton 1 Bigbluebutton 2022-10-03 N/A 3.5 LOW
In BigBlueButton before 2.2.7, lockSettingsProps.disablePrivateChat does not apply to already opened chats. This occurs in bigbluebutton-html5/imports/ui/components/chat/service.js.
CVE-2022-31065 1 Bigbluebutton 1 Bigbluebutton 2022-07-07 4.3 MEDIUM 6.1 MEDIUM
BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.
CVE-2022-31064 1 Bigbluebutton 1 Bigbluebutton 2022-07-07 2.1 LOW 5.4 MEDIUM
BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue.
CVE-2022-31039 1 Bigbluebutton 1 Greenlight 2022-07-07 5.0 MEDIUM 5.3 MEDIUM
Greenlight is a simple front-end interface for your BigBlueButton server. In affected versions an attacker can view any room's settings even though they are not authorized to do so. Only the room owner and administrator should be able to view a room's settings. This issue has been patched in release version 2.12.6.
CVE-2022-27238 1 Bigbluebutton 1 Bigbluebutton 2022-07-05 3.5 LOW 5.4 MEDIUM
BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed.
CVE-2020-27611 1 Bigbluebutton 1 Bigbluebutton 2022-06-14 7.5 HIGH 7.3 HIGH
BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint.
CVE-2022-26497 1 Bigbluebutton 1 Greenlight 2022-06-10 3.5 LOW 5.4 MEDIUM
BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the "Share room access" dialog if the victim has shared access to the particular room with the attacker previously.
CVE-2022-29236 1 Bigbluebutton 1 Bigbluebutton 2022-06-09 4.0 MEDIUM 4.3 MEDIUM
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and up to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds.
CVE-2022-29235 1 Bigbluebutton 1 Bigbluebutton 2022-06-09 4.3 MEDIUM 5.3 MEDIUM
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and up to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the current timestamp and play/pause. The problem has been patched in versions 2.3.18 and 2.4-rc-6 by modifying the stream to send the data only for users in the meeting. There are currently no known workarounds.
CVE-2022-29234 1 Bigbluebutton 1 Bigbluebutton 2022-06-09 4.0 MEDIUM 4.3 MEDIUM
BigBlueButton is an open source web conferencing system. Starting in version 2.2 and up to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s after the lock setting was enacted. The attacker needs to be a participant in the meeting. Versions 2.3.18 and 2.4.1 contain a patch for this issue. There are currently no known workarounds.
CVE-2022-29233 1 Bigbluebutton 1 Bigbluebutton 2022-06-09 5.0 MEDIUM 4.3 MEDIUM
BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds.