CyberSec.Space Logo
Back to CVE Browser

CVE-2020-27602

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.0640%
EPSS Percentile13.22th
PublishedSep 29, 2022
Last ModifiedNov 21, 2024

Vulnerability Description

BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken.

Affected Platforms (CPE)

πŸ“¦
Bigbluebutton

Bigbluebutton

< 2.2.7

References & Advisories

πŸ”— https://github.com/bigbluebutton/bigbluebutton/commit/4bfd924c64da2681f4c037026021f47eb189d717
πŸ”— https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7
πŸ”— https://github.com/bigbluebutton/bigbluebutton/commit/4bfd924c64da2681f4c037026021f47eb189d717
πŸ”— https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.6...v2.2.7

Related Vulnerabilities

CVE-2020-276059.8

BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks...

CVE-2020-124439.8

BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pd...

CVE-2020-261638.8

BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a vict...

CVE-2020-276138.4

The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local...