← back
CVE-2022-41962

BigBlueButton contains Incorrect Authorization for setting emoji status

CVSS 2.7 LOWEPSS 0.7%CWE-863
Vexday Risk Score
8Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 2.7EPSS 0.7%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
16 Dec 2022Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6, and 2.5-alpha-1 contain Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji status for other users. Moderators should only be able to set none as the status of other users. This issue is patched in 2.4-rc-6 and 2.5-alpha-1There are no workarounds.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Affected products
bigbluebutton · bigbluebutton

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-88qf-33qm-9mm7