CVE-2022-23488 MEDIUM

CVE-2022-23488: BigBlueButton vulnerable to Insertion of Sensitive Information Into Sent Data

Vendor Bigbluebutton
Product bigbluebutton
Weakness CWE-201
Published December 17, 2022
Last update April 17, 2025

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6 are vulnerable to Insertion of Sensitive Information Into Sent Data. The moderators-only webcams lock setting is not enforced on the backend, which allows an attacker to subscribe to viewers' webcams, even when the lock setting is applied. (The required streamId was being sent to all users even with lock setting applied). This issue is fixed in version 2.4-rc-6. There are no workarounds.

Key dates

02Disclosure timeline

December 17, 2022 CVE published
April 17, 2025 Record updated

Related vulnerabilities

04Related CVE