4.6

CVE-2024-38518

bbb-web API additional parameters considered

API Additional Parameters Considered

BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be "role=moderator", allowing an attacker to join a meeting as moderator using a join link that was originally created for viewer access. This vulnerability has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.
Mögliche Gegenmaßnahme
Server: There are no workarounds. We recommend upgrading to a patched version of BigBlueButton.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerbigbluebutton
Produkt bigbluebutton
Version < 2.6.18
Status affected
Version >= 2.7.0, < 2.7.8
Status affected
Version >= 2.8.0, < 3.0.0-alpha.7
Status affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemBigBlueButton
Produkt Server
Version < 2.7.8
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.31% 0.221
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 4.6 2.1 2.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/bigbluebutton/bigbluebutton/commit/a9d436accdcd26ea66bed9f391488ac128cd62d1
https://github.com/bigbluebutton/bigbluebutton/commit/ea6e9461dceae8fa593543d8c686f77bb8677e72
https://github.com/bigbluebutton/bigbluebutton/pull/20279
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4m48-49h7-f3c4
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4m48-49h7-f3c4
Third Party Advisory