Executive Summary
Informations | |||
---|---|---|---|
Name | CVE-2020-27604 | First vendor Publication | 2020-10-21 |
Vendor | Cve | Last vendor Modification | 2020-10-30 |
Security-Database Scoring CVSS v3
Cvss vector : CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N | |||
---|---|---|---|
Overall CVSS Score | 6.5 | ||
Base Score | 6.5 | Environmental Score | 6.5 |
impact SubScore | 3.6 | Temporal Score | 6.5 |
Exploitabality Sub Score | 2.8 | ||
Attack Vector | Network | Attack Complexity | Low |
Privileges Required | Low | User Interaction | None |
Scope | Unchanged | Confidentiality Impact | High |
Integrity Impact | None | Availability Impact | None |
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:S/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 4 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 8 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting. |
Original Source
Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27604 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-116 | Improper Encoding or Escaping of Output |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
Sources (Detail)
Source | Url |
---|---|
MISC | https://docs.bigbluebutton.org/dev/api.html https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-... |
Alert History
Date | Informations |
---|---|
2021-05-04 13:52:27 |
|
2021-04-22 03:03:17 |
|
2020-11-01 17:23:01 |
|
2020-10-21 21:23:37 |
|