We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Assigner | GitHub_M |
Reserved | 2023-09-14 |
Published | 2023-10-30 |
Updated | 2024-09-05 |
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84
https://github.com/bigbluebutton/bigbluebutton/pull/15960