CVE-2023-42803

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures. BigBlueButton 2.6.0-beta.2 contains a patch. There are no known workarounds.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.3 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
5.3 MEDIUM
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
VendorProductVersion
bigbluebuttonbigbluebutton
𝑥
≤ 2.5.18
bigbluebuttonbigbluebutton
2.6.0:alpha1
bigbluebuttonbigbluebutton
2.6.0:alpha2
bigbluebuttonbigbluebutton
2.6.0:alpha3
bigbluebuttonbigbluebutton
2.6.0:alpha4
bigbluebuttonbigbluebutton
2.6.0:beta1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/bigbluebutton/bigbluebutton/pull/15990
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-w98f-6x8w-xhjc
https://github.com/bigbluebutton/bigbluebutton/pull/15990
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-w98f-6x8w-xhjc