Code injection

2022-06-0200:15:00

PRIOn knowledge base

www.prio-n.com

4.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

33.5%

JSON

BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds.

CPENameOperatorVersion
bigbluebuttoneq2.4 alpha1
bigbluebuttoneq2.4 alpha2
bigbluebuttoneq2.4 beta2
bigbluebuttoneq2.4 beta1
bigbluebuttoneq2.4 beta3
bigbluebuttoneq2.4 beta4
bigbluebuttonge2.2.0
bigbluebuttonlt2.3.18
bigbluebuttoneq2.4 rc5
bigbluebuttoneq2.4 rc4

Name	Operator	Version
bigbluebutton	eq	2.4 alpha1
bigbluebutton	eq	2.4 alpha2
bigbluebutton	eq	2.4 beta2
bigbluebutton	eq	2.4 beta1
bigbluebutton	eq	2.4 beta3
bigbluebutton	eq	2.4 beta4
bigbluebutton	ge	2.2.0
bigbluebutton	lt	2.3.18
bigbluebutton	eq	2.4 rc5
bigbluebutton	eq	2.4 rc4