In BigBlueButton prior to 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
bigbluebutton bigbluebutton |