CVE-2023-33176 Blind SSRF When Uploading Presentation in BigBlueButton

BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions are affected by a Server-Side Request Forgery SSRF vulnerability. In an insertDocument API request the user is able to supply a URL from which the presentation should be...

Design/Logic Flaw

In BigBlueButton before 2.2.28 or earlier, uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document...