GitHub_MCVELIST:CVE-2024-38518CVE-2024-38518 bbb-web API additional parameters considered
4.6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
0.0004 Low
EPSS
Percentile
15.7%
BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be βrole=moderatorβ, allowing an attacker to join a meeting as moderator using a join link that was originally created for viewer access. This vulnerability has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.
CNA Affected
[
{
"vendor": "bigbluebutton",
"product": "bigbluebutton",
"versions": [
{
"version": "< 2.6.18",
"status": "affected"
},
{
"version": ">= 2.7.0, < 2.7.8",
"status": "affected"
},
{
"version": ">= 2.8.0, < 3.0.0-alpha.7",
"status": "affected"
}
]
}
]References
4.6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L
0.0004 Low
EPSS
Percentile
15.7%