CVE-2020-25820

Name of the Vulnerable Software and Affected Versions BigBlueButton versions prior to 2.2.7

Description The issue allows remote authenticated users to read local files and conduct Server-Side Request Forgery (SSRF) attacks. This is achieved by uploading an Office document that contains a crafted URL in an OpenDocument Format (ODF) xlink field. SSRF attacks involve tricking a server into making requests to unintended locations, potentially leading to unauthorized access to sensitive data or systems.

Recommendations For versions prior to 2.2.7, update to version 2.2.7 or later to resolve the issue. As a temporary workaround, consider restricting the upload of Office documents or disabling the handling of ODF xlink fields until a patch is applied. Avoid using the xlink field in uploaded Office documents until the issue is resolved.