We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-42804

BigBlueButton Path Traversal – Reading Certain File Extensions



Description

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds.

Reserved 2023-09-14 | Published 2023-10-30 | Updated 2024-09-05 | Assigner GitHub_M


LOW: 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

< 2.6.0-beta.1
affected

References

github.com/...button/security/advisories/GHSA-3qjg-229m-vq84

github.com/bigbluebutton/bigbluebutton/pull/15960

cve.org (CVE-2023-42804)

nvd.nist.gov (CVE-2023-42804)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-42804

Support options

Helpdesk Chat, Email, Knowledgebase
Subscribe to our newsletter to learn more about our work.