7 matches found
CVE-2022-23488
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when th...
CVE-2022-41964
CVE-2022-41964 affects BigBlueButton prior to version 2.4.0. The vulnerability allows a meeting presenter to subscribe to poll results before an anonymous poll starts, enabling viewing of individual responses in the poll. Root cause is an information-disclosure flaw in the poll result subscriptio...
Code injection
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are subject to Ineffective user bans. The attacker could register multiple users, and join the meeting with one of them. When that user is banned, they could still join the meeting with the remaining registered...
CVE-2022-41962
BigBlueButton contains a vulnerability (CVE-2022-41962) described as Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji status for other users, whereas moderators should only be able to set none. Affected versions are p...
PT-2022-26186 · Unknown · Bigbluebutton
Name of the Vulnerable Software and Affected Versions: BigBlueButton versions prior to 2.4-rc-6 BigBlueButton versions prior to 2.5-alpha-1 Description: BigBlueButton is an open source web conferencing system. The issue concerns Incorrect Authorization for setting emoji status. A user with...
CVE-2022-41960 BigBlueButton contains DoS via failed authToken validation
BigBlueButton is an open source web conferencing system. Versions prior to 2.4.3, are subject to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to validateAuthToken using a victim's userId, meetingId, and an invalid authToken. Th...
CVE-2022-31064
BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker with xss in the name starts a chat. in the victim's client the JavaScript will be executed...