Vulmon
Recent Vulnerabilities
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
By Recent Activity
bigbluebutton vulnerabilities and exploits
(subscribe to this query)
5
CVSSv2
CVE-2020-27606
BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session....
Bigbluebutton Bigbluebutton
6.4
CVSSv2
CVE-2020-27607
In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store...
Bigbluebutton Bigbluebutton
4.6
CVSSv2
CVE-2020-27613
The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access....
Bigbluebutton Bigbluebutton
4.3
CVSSv2
CVE-2020-27608
In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document....
Bigbluebutton Bigbluebutton
4.3
CVSSv2
CVE-2020-12113
BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used....
Bigbluebutton Bigbluebutton
4
CVSSv2
CVE-2020-25820
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field....
Bigbluebutton Bigbluebutton
5
CVSSv2
CVE-2020-27610
The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access....
Bigbluebutton Bigbluebutton
4
CVSSv2
CVE-2020-27604
BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an...
Bigbluebutton Bigbluebutton
5
CVSSv2
CVE-2020-28954
web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name....
Bigbluebutton Bigbluebutton
5
CVSSv2
CVE-2020-29043
An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name....
Bigbluebutton Bigbluebutton
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
arbitrary code
CVE-2021-21259
CVE-2021-3115
hard-coded
CVE-2021-1140
CVE-2020-11150
CVE-2019-8791
physical
CVE-2020-11215
1
2
3
NEXT »
Vulmon