PT-2024-28046 · Unknown · Bigbluebutton
Defnull
·
Published
2024-06-28
·
Updated
2024-07-01
·
CVE-2024-38518
CVSS v3.1
4.6
Medium
| Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
BigBlueButton versions prior to 2.6.18
BigBlueButton versions prior to 2.7.8
BigBlueButton versions prior to 3.0.0-alpha.7
Description
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters, such as
role=moderator, allowing an attacker to join a meeting as moderator using a join link that was originally created for viewer access.Recommendations
For versions prior to 2.6.18, update to version 2.6.18 or later.
For versions prior to 2.7.8, update to version 2.7.8 or later.
For versions prior to 3.0.0-alpha.7, update to version 3.0.0-alpha.7 or later.
Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bigbluebutton