web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.
References
Link | Resource |
---|---|
https://github.com/bigbluebutton/bigbluebutton/commit/5c911ddeec4493f40f42e2f137800ed4692004a4 | Patch Third Party Advisory |
https://github.com/bigbluebutton/bigbluebutton/commit/e59bcd0c33a6a3203c011faa8823ba2cac1e4f37 | Patch Third Party Advisory |
https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29 | Release Notes Third Party Advisory |
https://github.com/bigbluebutton/bigbluebutton/issues/10818 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2020-11-19T21:14:53
Updated: 2020-11-19T21:14:53
Reserved: 2020-11-19T00:00:00
Link: CVE-2020-28954
JSON object: View
NVD Information
Status : Analyzed
Published: 2020-11-19T22:15:13.757
Modified: 2020-11-29T23:41:06.973
Link: CVE-2020-28954
JSON object: View
Redhat Information
No data.
CWE