CVE-2020-27608

Name of the Vulnerable Software and Affected Versions BigBlueButton versions prior to 2.2.28

Description The issue allows for XSS attacks due to uploaded presentations being sent to clients without a Content-Type header. This can be exploited by uploading an HTML document with a .png file extension, demonstrating the potential for malicious script execution.

Recommendations For versions prior to 2.2.28, update to version 2.2.28 or later to resolve the issue. As a temporary workaround, consider restricting the upload of presentations or implementing additional validation on uploaded files to minimize the risk of exploitation.