8.8
CVE-2023-42803
- EPSS 0.54%
- Veröffentlicht 30.10.2023 19:15:07
- Zuletzt bearbeitet 21.11.2024 08:23:11
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginBigBlueButton Unrestricted File Upload vulnerability
Unrestricted File Upload
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures. BigBlueButton 2.6.0-beta.2 contains a patch. There are no known workarounds.
Mögliche Gegenmaßnahme
Server: There are no workarounds. We recommend upgrading to a patched version of BigBlueButton.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
BigBlueButton ≫ BigBlueButton Version <= 2.5.18
BigBlueButton ≫ BigBlueButton Version2.6.0 Updatealpha1
BigBlueButton ≫ BigBlueButton Version2.6.0 Updatealpha2
BigBlueButton ≫ BigBlueButton Version2.6.0 Updatealpha3
BigBlueButton ≫ BigBlueButton Version2.6.0 Updatealpha4
BigBlueButton ≫ BigBlueButton Version2.6.0 Updatebeta1
Weitere Schwachstelleninformationen
SystemBigBlueButton
≫
Produkt
Server
Version
< 2.6.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.54% | 0.41 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| security-advisories@github.com | 5.3 | 1.6 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
|
CWE-434 Unrestricted Upload of File with Dangerous Type
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
https://github.com/bigbluebutton/bigbluebutton/pull/15990
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-w98f-6x8w-xhjc
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-w98f-6x8w-xhjc