Vulnerabilities > CVE-2020-25820 - Server-Side Request Forgery (SSRF) vulnerability in Bigbluebutton
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://www.redteam-pentesting.de/advisories/rt-sa-2020-005
- https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html
- http://packetstormsecurity.com/files/159667/BigBlueButton-2.2.25-File-Disclosure-Server-Side-Request-Forgery.html
- https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.26...v2.2.27
- https://github.com/bigbluebutton/bigbluebutton/commit/71fe1eac1e5bd73a2cd44bd79c001086b250e435