BigBlueButton

BigBlueButton

54 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2020-27605

Exploit
  • EPSS 1.23%
  • Veröffentlicht 21.10.2020 15:15:27
  • Zuletzt bearbeitet 21.11.2024 05:21:26

BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."

5.3

CVE-2020-27606

Exploit
  • EPSS 1.13%
  • Veröffentlicht 21.10.2020 15:15:27
  • Zuletzt bearbeitet 21.11.2024 05:21:26

BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.

6.5

CVE-2020-27607

Exploit
  • EPSS 0.76%
  • Veröffentlicht 21.10.2020 15:15:27
  • Zuletzt bearbeitet 21.11.2024 05:21:27

In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a m...

6.1

CVE-2020-27608

Exploit
  • EPSS 0.68%
  • Veröffentlicht 21.10.2020 15:15:27
  • Zuletzt bearbeitet 21.11.2024 05:21:27

In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.

5.3

CVE-2020-27609

Exploit
  • EPSS 0.78%
  • Veröffentlicht 21.10.2020 15:15:27
  • Zuletzt bearbeitet 21.11.2024 05:21:27

BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.

7.5

CVE-2020-27610

Exploit
  • EPSS 1.18%
  • Veröffentlicht 21.10.2020 15:15:27
  • Zuletzt bearbeitet 21.11.2024 05:21:27

The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access.

7.5

CVE-2020-27611

  • EPSS 0.66%
  • Veröffentlicht 21.10.2020 15:15:27
  • Zuletzt bearbeitet 21.11.2024 05:21:27

BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint.

4.3

CVE-2020-27612

  • EPSS 0.67%
  • Veröffentlicht 21.10.2020 15:15:27
  • Zuletzt bearbeitet 21.11.2024 05:21:28

Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window.

6.5

CVE-2020-27604

Exploit
  • EPSS 1.13%
  • Veröffentlicht 21.10.2020 15:15:26
  • Zuletzt bearbeitet 21.11.2024 05:21:26

BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example)...

7.5

CVE-2020-27603

Exploit
  • EPSS 2.93%
  • Veröffentlicht 21.10.2020 15:15:26
  • Zuletzt bearbeitet 21.11.2024 05:21:26

BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.