Lukas Knittel

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions 3.0.19 and below **Description** BigBlueButton is a virtual classroom platform. When a user joins a session with the microphone initially muted, the client may send audio data to the server despite the mute state. While the server discards this audio, preventing it from being audible to other participants, a malicious server operator could potentially access this data. This behavior occurs only between joining the meeting and the first time the user unmutes. **Recommendations** Update to version 3.0.20 or later.

**Name of the Vulnerable Software and Affected Versions** Cisco Webex Meetings (affected versions not specified) **Description** A vulnerability in the meeting-join functionality of Cisco Webex Meetings could allow an unauthenticated, network-proximate attacker to complete a meeting-join process in place of an intended user. This was due to client certificate validation issues. An attacker could exploit this by monitoring local wireless or adjacent networks for client-join requests and attempting to interrupt and complete the meeting-join flow as another user. A successful exploit could allow the attacker to join the meeting as another user. The Cisco Product Security Incident Response Team (PSIRT) is not aware of any malicious use of this vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Apache HTTP Server versions through 2.4.63 Description: In certain mod ssl configurations, a man-in-the-middle attacker can hijack an HTTP session through a TLS upgrade attack. This issue affects configurations utilizing “SSLEngine optional” to enable TLS upgrades. The attack is related to HTTP desynchronization. Recommendations: Upgrade to version 2.4.64, which removes support for TLS upgrade.