GitHub_MCVE-2023-42803CVE-2023-42803
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
25.7%
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures. BigBlueButton 2.6.0-beta.2 contains a patch. There are no known workarounds.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| bigbluebutton | bigbluebutton | * | cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:* |
| bigbluebutton | bigbluebutton | 2.6.0 | cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha1:*:*:*:*:*:* |
| bigbluebutton | bigbluebutton | 2.6.0 | cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha2:*:*:*:*:*:* |
| bigbluebutton | bigbluebutton | 2.6.0 | cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha3:*:*:*:*:*:* |
| bigbluebutton | bigbluebutton | 2.6.0 | cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:alpha4:*:*:*:*:*:* |
| bigbluebutton | bigbluebutton | 2.6.0 | cpe:2.3:a:bigbluebutton:bigbluebutton:2.6.0:beta1:*:*:*:*:*:* |
CNA Affected
[
{
"vendor": "bigbluebutton",
"product": "bigbluebutton",
"versions": [
{
"version": "< 2.6.0-beta.2",
"status": "affected"
}
]
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
25.7%