CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be “role=moderator”, allowing an attacker to join a meeting as moderator using a join link that was originally created for viewer access. This vulnerability has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.
[
{
"vendor": "bigbluebutton",
"product": "bigbluebutton",
"versions": [
{
"status": "affected",
"version": "< 2.6.18"
},
{
"status": "affected",
"version": ">= 2.7.0, < 2.7.8"
},
{
"status": "affected",
"version": ">= 2.8.0, < 3.0.0-alpha.7"
}
]
}
]
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
AI Score
Confidence
Low
SSVC
Exploitation
none
Automatable
no
Technical Impact
partial