CVE-2020-27612

MEDIUM

4.3

CVSS Severity Score

EPSS Score0.1440%

EPSS Percentile32.23th

PublishedOct 21, 2020

Last ModifiedNov 21, 2024

Vulnerability Description

Greenlight in BigBlueButton through 2.2.28 places usernames in room URLs, which may represent an unintended information leak to users in a room, or an information leak to outsiders if any user publishes a screenshot of a browser window.

Affected Platforms (CPE)

📦

Bigbluebutton

<= 2.2.28

References & Advisories

🔗 https://docs.bigbluebutton.org/admin/privacy.html

Related Vulnerabilities

CVE-2020-276029.8

BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken.

CVE-2020-124439.8

BigBlueButton before 2.2.6 allows remote attackers to read arbitrary files because the presfilename (lowercase) value can be a .pd...

CVE-2020-276059.8

BigBlueButton through 2.2.28 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks...

CVE-2020-261638.8

BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a vict...