Vulnerabilities > Bigbluebutton

DATE CVE VULNERABILITY TITLE RISK
2020-11-26 CVE-2020-29043 Missing Authorization vulnerability in Bigbluebutton
An issue was discovered in BigBlueButton through 2.2.29.
network
low complexity
bigbluebutton CWE-862
5.0
2020-11-26 CVE-2020-29042 Improper Restriction of Excessive Authentication Attempts vulnerability in Bigbluebutton
An issue was discovered in BigBlueButton through 2.2.29.
4.3
2020-11-19 CVE-2020-28954 Improper Encoding or Escaping of Output vulnerability in Bigbluebutton
web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.
network
low complexity
bigbluebutton CWE-116
5.0
2020-11-19 CVE-2020-28953 Incorrect Permission Assignment for Critical Resource vulnerability in Bigbluebutton
In BigBlueButton before 2.2.29, a user can vote more than once in a single poll.
network
low complexity
bigbluebutton CWE-732
4.0
2020-10-22 CVE-2020-27642 Cross-site Scripting vulnerability in Bigbluebutton Greenlight 2.7.6
A cross-site scripting (XSS) vulnerability exists in the 'merge account' functionality in admins.js in BigBlueButton Greenlight 2.7.6.
4.3
2020-10-21 CVE-2020-27613 Cleartext Storage of Sensitive Information vulnerability in Bigbluebutton
The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access.
local
low complexity
bigbluebutton CWE-312
4.6
2020-10-21 CVE-2020-27612 Information Exposure vulnerability in Bigbluebutton
Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window.
network
low complexity
bigbluebutton CWE-200
4.0
2020-10-21 CVE-2020-27611 Use of a Broken or Risky Cryptographic Algorithm vulnerability in Bigbluebutton
BigBlueButton through 2.2.28 uses STUN/TURN resources from a third party, which may represent an unintended endpoint.
network
low complexity
bigbluebutton CWE-327
7.5
2020-10-21 CVE-2020-27610 Information Exposure vulnerability in Bigbluebutton
The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external interfaces, and does not automatically set up a firewall configuration to block external access.
network
low complexity
bigbluebutton CWE-200
5.0
2020-10-21 CVE-2020-27609 Incorrect Authorization vulnerability in Bigbluebutton
BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface.
network
low complexity
bigbluebutton CWE-863
5.0