We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2023-42804

BigBlueButton Path Traversal – Reading Certain File Extensions



AssignerGitHub_M
Reserved2023-09-14
Published2023-10-30
Updated2024-09-05

Description

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds.



LOW: 3.1CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

< 2.6.0-beta.1
affected

References

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84

https://github.com/bigbluebutton/bigbluebutton/pull/15960

cve.org CVE-2023-42804

nvd.nist.gov CVE-2023-42804

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-42804
Subscribe to our newsletter to learn more about our work.