← back
CVE-2023-42803

BigBlueButton Unrestricted File Upload vulnerability

CVSS 5.3 MEDIUMEPSS 0.5%CWE-434
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.5%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
30 Oct 2023Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures. BigBlueButton 2.6.0-beta.2 contains a patch. There are no known workarounds.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Affected products
bigbluebutton · bigbluebutton

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/bigbluebutton/bigbluebutton/pull/15990https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-w98f-6x8w-xhjc