Vulnerabilities > Bigbluebutton > Medium

DATE CVE VULNERABILITY TITLE RISK
2022-01-19 CVE-2021-4143 Unspecified vulnerability in Bigbluebutton
Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0.
network
low complexity
bigbluebutton
6.1
2020-11-19 CVE-2020-28954 Improper Encoding or Escaping of Output vulnerability in Bigbluebutton
web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.
network
low complexity
bigbluebutton CWE-116
5.3
2020-11-19 CVE-2020-28953 Unspecified vulnerability in Bigbluebutton
In BigBlueButton before 2.2.29, a user can vote more than once in a single poll.
network
low complexity
bigbluebutton
4.3
2020-10-22 CVE-2020-27642 Cross-site Scripting vulnerability in Bigbluebutton Greenlight 2.7.6
A cross-site scripting (XSS) vulnerability exists in the 'merge account' functionality in admins.js in BigBlueButton Greenlight 2.7.6.
network
low complexity
bigbluebutton CWE-79
6.1
2020-10-21 CVE-2020-27612 Information Exposure vulnerability in Bigbluebutton
Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window.
network
low complexity
bigbluebutton CWE-200
4.3
2020-10-21 CVE-2020-27609 Incorrect Authorization vulnerability in Bigbluebutton
BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface.
network
low complexity
bigbluebutton CWE-863
5.3
2020-10-21 CVE-2020-27608 Cross-site Scripting vulnerability in Bigbluebutton
In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
network
low complexity
bigbluebutton CWE-79
6.1
2020-10-21 CVE-2020-27607 Unspecified vulnerability in Bigbluebutton
In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client.
network
low complexity
bigbluebutton
6.5
2020-10-21 CVE-2020-27606 Unspecified vulnerability in Bigbluebutton
BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
network
low complexity
bigbluebutton
5.3
2020-10-21 CVE-2020-27604 Improper Encoding or Escaping of Output vulnerability in Bigbluebutton
BigBlueButton before 2.3 does not implement LibreOffice sandboxing.
network
low complexity
bigbluebutton CWE-116
6.5