CVE-2023-42804

Name of the Vulnerable Software and Affected Versions BigBlueButton versions prior to 2.6.0-beta.1

Description BigBlueButton is an open-source virtual classroom. It has a path traversal vulnerability that allows an attacker with a valid starting folder path to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped.

Recommendations For versions prior to 2.6.0-beta.1, update to version 2.6.0-beta.1 or later, which includes input validation and strips dangerous characters from parameters. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.