CVE-2022-23488

Name of the Vulnerable Software and Affected Versions BigBlueButton versions prior to 2.4-rc-6

Description The moderators-only webcams lock setting in BigBlueButton is not enforced on the backend. This allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied, by exploiting the fact that the required streamId is sent to all users, regardless of the lock setting.

Recommendations For versions prior to 2.4-rc-6, update to version 2.4-rc-6 to resolve the issue. As a temporary workaround, consider restricting access to the webcam feature until the update is applied.