Bigbluebutton : Security Vulnerabilities, CVEs, CVSS score >= 9
BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
Max CVSS
9.8
EPSS Score
0.52%
Published
2020-10-21
Updated
2020-10-29
BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken.
Max CVSS
9.8
EPSS Score
0.29%
Published
2022-09-29
Updated
2022-10-03
BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pdf filename while the presFilename (mixed case) value has a ../ sequence. This can be leveraged for privilege escalation via a directory traversal to bigbluebutton.properties. NOTE: this issue exists because of an ineffective mitigation to CVE-2020-12112 in which there was an attempted fix within an NGINX configuration file, without considering that the relevant part of NGINX is case-insensitive.
Max CVSS
9.8
EPSS Score
0.68%
Published
2020-04-29
Updated
2020-05-06
3 vulnerabilities found