This CPE summary could be partial or incomplete. Please contact us for a detailed listing.


Vendor Bigbluebutton First view 2020-04-23
Product Bigbluebutton Last view 2020-11-26
Version * Type Application
Update *  
Edition *  
Language *  
Sofware Edition *  
Target Software *  
Target Hardware *  
Other *  
CPE Product cpe:2.3:a:bigbluebutton:bigbluebutton

Activity : Overall

Related : CVE

  Date Alert Description
7.5 2020-11-26 CVE-2020-29043

An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name.

3.7 2020-11-26 CVE-2020-29042

An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code.

5.3 2020-11-19 CVE-2020-28954

web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.

4.3 2020-11-19 CVE-2020-28953

In BigBlueButton before 2.2.29, a user can vote more than once in a single poll.

8.4 2020-10-21 CVE-2020-27613

The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access.

4.3 2020-10-21 CVE-2020-27612

Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window.

7.3 2020-10-21 CVE-2020-27611

BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint.

7.5 2020-10-21 CVE-2020-27610

The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access.

5.3 2020-10-21 CVE-2020-27609

BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.

6.1 2020-10-21 CVE-2020-27608

In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.

6.5 2020-10-21 CVE-2020-27607

In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or transmit it to one or more meeting participants or other third parties.

5.3 2020-10-21 CVE-2020-27606

BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.

9.8 2020-10-21 CVE-2020-27605

BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."

6.5 2020-10-21 CVE-2020-27604

BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.

7.5 2020-10-21 CVE-2020-27603

BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.

6.5 2020-10-21 CVE-2020-25820

BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.

9.8 2020-04-29 CVE-2020-12443

BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive.

6.1 2020-04-23 CVE-2020-12113

BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used.

7.5 2020-04-23 CVE-2020-12112

BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion.

CWE : Common Weakness Enumeration

25% (3) CWE-200 Information Exposure
16% (2) CWE-116 Improper Encoding or Escaping of Output
16% (2) CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
8% (1) CWE-732 Incorrect Permission Assignment for Critical Resource
8% (1) CWE-327 Use of a Broken or Risky Cryptographic Algorithm
8% (1) CWE-312 Cleartext Storage of Sensitive Information
8% (1) CWE-307 Improper Restriction of Excessive Authentication Attempts
8% (1) CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path ...