PT-2022-16024 · Unknown · Bigbluebutton

Juraj Somorovsky

Published

2022-12-16

Updated

2022-12-22

CVE-2022-23490

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions BigBlueButton versions prior to 2.4.0

Description The issue affects meetings with polls in BigBlueButton, an open source web conferencing system, where an attacker who is a meeting participant can gain access to sensitive information. Specifically, subscribing to the current-poll collection does not update the client UI but gives the attacker access to the contents of the collection, including individual poll responses.

Recommendations For versions prior to 2.4.0, update to version 2.4.0 to resolve the issue. As a temporary workaround, consider restricting access to meetings with polls until the update is applied.

Exploit

Fix

Incorrect Authorization

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863CWE-200

Related Identifiers

CVE-2022-23490

GHSA-4QGC-XHW5-6QFG

Affected Products

Bigbluebutton

PT-2022-16024 · Unknown · Bigbluebutton

CVE-2022-23490

Weakness Enumeration

Related Identifiers

Affected Products

References · 6