BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds.
References
Link | Resource |
---|---|
https://github.com/bigbluebutton/bigbluebutton/pull/15960 | Third Party Advisory |
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84 | Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: GitHub_M
Published: 2023-10-30T18:14:41.419Z
Updated: 2023-10-30T18:14:41.419Z
Reserved: 2023-09-14T16:13:33.306Z
Link: CVE-2023-42804
JSON object: View
NVD Information
Status : Analyzed
Published: 2023-10-30T19:15:08.037
Modified: 2023-11-07T23:17:42.680
Link: CVE-2023-42804
JSON object: View
Redhat Information
No data.
CWE