Samuelwei

**Name of the Vulnerable Software and Affected Versions** BigBlueButton versions 3.0.21 and below **Description** BigBlueButton is an open-source virtual classroom. Following instructions in the official documentation for "Server Customization" regarding ClamAV as a presentation file scanner can leave a BigBlueButton server vulnerable to a Denial of Service. The documentation’s instructions expose ports (3310 and 7357) to the internet. A remote attacker can exploit this by sending complex or large documents to clamd, potentially wasting server resources or shutting down the clamd process. The clamd documentation warns against exposing this port. Mounting /var/bigbluebutton with write permissions into the container, as suggested in the documentation, could also pose a future risk if vulnerabilities in clamd allow file manipulation within that folder. Users are only affected if they have followed the specific instructions in the BigBlueButton documentation. **Recommendations** Versions prior to 3.0.22 should not follow the documentation instructions for "Server Customization" on Support for ClamAV as presentation file scanner. Do not expose ports 3310 and 7357 to the internet. Avoid mounting /var/bigbluebutton with write permissions into the container.

**Name of the Vulnerable Software and Affected Versions** PILOS versions prior to 4.10.0 **Description** PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. A Cross-Site Request Forgery (CSRF) issue exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint, exposed via an HTTP GET request, performs a destructive action. While authorization checks are in place, the use of a GET request allows implicit invocation through same-site content. An authenticated administrator viewing crafted content within the application may unknowingly trigger the endpoint, terminating all active video conferences without explicit intent. The vulnerable endpoint is an administrative API endpoint. **Recommendations** Update to version 4.10.0 or later.

**Name of the Vulnerable Software and Affected Versions** PILOS versions prior to 2.3.0 **Description** The password reset component in PILOS uses the hostname supplied within the request host header when building a password reset URL. This could allow manipulation of the URL sent to PILOS users, potentially disclosing the password reset token if the link is followed. The issue only affects local user accounts and requires the password reset option to be enabled. **Recommendations** For versions prior to 2.3.0, update to version 2.3.0 to resolve the issue. As a temporary workaround, consider disabling the password reset option until the update is applied. Restrict access to the password reset component to minimize the risk of exploitation. Avoid using the password reset feature in the affected versions until the issue is resolved.