Abdulmohsen Alotaibi

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions prior to 2.6.0-beta.2 **Description** BigBlueButton is an open-source virtual classroom. The issue arises from the `insertDocument` API call not validating the given file extension before saving the file and not removing it in case of validation failures, leading to unrestricted file upload. **Recommendations** For versions prior to 2.6.0-beta.2, update to version 2.6.0-beta.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `insertDocument` API call until a patch is applied. Avoid using the `insertDocument` API call with untrusted file sources until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions prior to 2.6.0-beta.1 **Description** BigBlueButton is an open-source virtual classroom. It has a path traversal vulnerability that allows an attacker with a valid starting folder path to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. **Recommendations** For versions prior to 2.6.0-beta.1, update to version 2.6.0-beta.1 or later, which includes input validation and strips dangerous characters from parameters. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BigBlueButton (affected versions not specified) **Description** BigBlueButton is an open source virtual classroom designed to help teachers teach and learners learn. In affected versions, a Server-Side Request Forgery (SSRF) vulnerability exists. The `insertDocument` API request allows users to supply a URL from which the presentation should be downloaded, and this URL was being used without validation. An update to the `followRedirect` method in the `PresentationUrlDownloadService` has been made to validate all URLs for presentation download. Two new properties, `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts`, have been added to `bigbluebutton.properties` to define allowed protocols and blocked hosts for presentation downloads. URLs passed to `insertDocument` must conform to these requirements, resolve to valid addresses, and not be local or loopback addresses. **Recommendations** To resolve the issue, users are advised to upgrade to a patched version of BigBlueButton. As a temporary workaround, consider restricting access to the `insertDocument` API endpoint until a patch is available. Additionally, administrators can define allowed protocols and blocked hosts using the `presentationDownloadSupportedProtocols` and `presentationDownloadBlockedHosts` properties in `bigbluebutton.properties` to minimize the risk of exploitation.