PT-2022-26188 · Unknown · Bigbluebutton
Juraj Somorovsky
+2
·
Published
2022-12-16
·
Updated
2022-12-21
·
CVE-2022-41964
CVSS v3.1
5.7
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
BigBlueButton versions prior to 2.4.0
Description
The issue affects BigBlueButton, an open source web conferencing system, and allows an attacker who is a meeting presenter to start a subscription for poll results before starting an anonymous poll. This subscription can then be used to see individual responses in the anonymous poll.
Recommendations
For versions prior to 2.4.0, update to version 2.4.0 to resolve the issue.
As a temporary workaround, consider restricting the ability to start subscriptions for poll results before starting an anonymous poll, or limiting the role of meeting presenter to trusted individuals.
Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bigbluebutton