Vulnerabilities > Bigbluebutton > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-19 | CVE-2020-28953 | Unspecified vulnerability in Bigbluebutton In BigBlueButton before 2.2.29, a user can vote more than once in a single poll. | 4.3 |
| 2020-10-22 | CVE-2020-27642 | Cross-site Scripting vulnerability in Bigbluebutton Greenlight 2.7.6 A cross-site scripting (XSS) vulnerability exists in the 'merge account' functionality in admins.js in BigBlueButton Greenlight 2.7.6. | 6.1 |
| 2020-10-21 | CVE-2020-27612 | Information Exposure vulnerability in Bigbluebutton Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window. | 4.3 |
| 2020-10-21 | CVE-2020-27609 | Incorrect Authorization vulnerability in Bigbluebutton BigBlueButton through 2.2.28 records a video meeting despite the deactivation of video recording in the user interface. | 5.3 |
| 2020-10-21 | CVE-2020-27608 | Cross-site Scripting vulnerability in Bigbluebutton In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document. | 6.1 |
| 2020-10-21 | CVE-2020-27607 | Unspecified vulnerability in Bigbluebutton In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. | 6.5 |
| 2020-10-21 | CVE-2020-27606 | Unspecified vulnerability in Bigbluebutton BigBlueButton before 2.2.28 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | 5.3 |
| 2020-10-21 | CVE-2020-27604 | Improper Encoding or Escaping of Output vulnerability in Bigbluebutton BigBlueButton before 2.3 does not implement LibreOffice sandboxing. | 6.5 |
| 2020-10-21 | CVE-2020-25820 | Server-Side Request Forgery (SSRF) vulnerability in Bigbluebutton BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field. | 6.5 |
| 2020-04-23 | CVE-2020-12113 | Cross-site Scripting vulnerability in Bigbluebutton BigBlueButton before 2.2.4 allows XSS via closed captions because dangerouslySetInnerHTML in React is used. | 6.1 |