Skip to main content

Bigbluebutton CVE-2023-42803

HIGH
Unrestricted Upload of File with Dangerous Type (CWE-434)
2023-10-30 security-advisories@github.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 30, 2023 - 19:15 nvd
HIGH 8.8

DescriptionNVD

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures. BigBlueButton 2.6.0-beta.2 contains a patch. There are no known workarounds.

AnalysisAI

BigBlueButton is an open-source virtual classroom. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Unrestricted File Upload (CWE-434), which allows attackers to upload malicious files that can be executed on the server. BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures. BigBlueButton 2.6.0-beta.2 contains a patch. There are no known workarounds. Affected products include: Bigbluebutton. Version information: version 2.6.0.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate file types server-side, store uploads outside webroot, use random filenames, scan for malware.

CVE-2020-27605 CRITICAL POC
9.8 Oct 21

BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject

CVE-2020-12443 CRITICAL POC
9.8 Apr 29

BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value ca

CVE-2020-27613 HIGH POC
8.4 Oct 21

The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which al

CVE-2020-29043 HIGH POC
7.5 Nov 26

An issue was discovered in BigBlueButton through 2.2.29. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2020-27610 HIGH POC
7.5 Oct 21

The installation procedure in BigBlueButton before 2.2.28 (or earlier) exposes certain network services to external inte

CVE-2020-27603 HIGH POC
7.5 Oct 21

BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access exte

CVE-2020-12112 HIGH POC
7.5 Apr 23

BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion. Rated high severi

CVE-2026-27466 HIGH POC
7.2 Feb 21

BigBlueButton versions 3.0.21 and below allow remote denial of service when ClamAV is configured following official docu

CVE-2020-27607 MEDIUM POC
6.5 Oct 21

In BigBlueButton before 2.2.28 (or earlier), the client-side Mute button only signifies that the server should stop acce

CVE-2020-27604 MEDIUM POC
6.5 Oct 21

BigBlueButton before 2.3 does not implement LibreOffice sandboxing. Rated medium severity (CVSS 6.5), this vulnerability

CVE-2020-25820 MEDIUM POC
6.5 Oct 21

BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploade

CVE-2020-27608 MEDIUM POC
6.1 Oct 21

In BigBlueButton before 2.2.28 (or earlier), uploaded presentations are sent to clients without a Content-Type header, w

Share

CVE-2023-42803 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy