CVE-2024-38518

EUVD-2024-37388

28.06.2024, 21:15

BigBlueButton is an open-source virtual classroom designed to help teachers teach and learners learn. An attacker with a valid join link to a meeting can trick BigBlueButton into generating a signed join link with additional parameters. One of those parameters may be "role=moderator", allowing an attacker to join a meeting as moderator using a join link that was originally created for viewer access. This vulnerability has been patched in version(s) 2.6.18, 2.7.8 and 3.0.0-alpha.7.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
GitHub_M	CNA	4.6 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 25%

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
bigbluebutton	bigbluebutton	𝑥 < 2.6.18	CNA

Common Weakness Enumeration

CWE-284 - Improper Access Control
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

References

https://github.com/bigbluebutton/bigbluebutton/commit/a9d436accdcd26ea66bed9f391488ac128cd62d1

https://github.com/bigbluebutton/bigbluebutton/commit/ea6e9461dceae8fa593543d8c686f77bb8677e72

https://github.com/bigbluebutton/bigbluebutton/pull/20279

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4m48-49h7-f3c4

https://github.com/bigbluebutton/bigbluebutton/commit/a9d436accdcd26ea66bed9f391488ac128cd62d1

https://github.com/bigbluebutton/bigbluebutton/commit/ea6e9461dceae8fa593543d8c686f77bb8677e72

https://github.com/bigbluebutton/bigbluebutton/pull/20279

https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-4m48-49h7-f3c4