8.8

CVE-2023-42803

EPSS 0.1%
Veröffentlicht 30.10.2023 19:15:07
Zuletzt bearbeitet 21.11.2024 08:23:11
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures. BigBlueButton 2.6.0-beta.2 contains a patch. There are no known workarounds.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

BigBlueButton ≫ BigBlueButton Version <= 2.5.18

BigBlueButton ≫ BigBlueButton Version2.6.0 Updatealpha1

BigBlueButton ≫ BigBlueButton Version2.6.0 Updatealpha2

BigBlueButton ≫ BigBlueButton Version2.6.0 Updatealpha3

BigBlueButton ≫ BigBlueButton Version2.6.0 Updatealpha4

BigBlueButton ≫ BigBlueButton Version2.6.0 Updatebeta1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.1%	0.27

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	5.3	1.6	3.6	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://github.com/bigbluebutton/bigbluebutton/pull/15990

Third Party Advisory

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-w98f-6x8w-xhjc

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2023-42803

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-42803

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-42803

EUVD