CVE-2023-42803 MEDIUM

CVE-2023-42803: BigBlueButton Unrestricted File Upload vulnerability

Vendor Bigbluebutton
Product bigbluebutton
Weakness CWE-434 · Unrestricted file upload
Published October 30, 2023
Last update September 6, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures. BigBlueButton 2.6.0-beta.2 contains a patch. There are no known workarounds.

Key dates

02Disclosure timeline

October 30, 2023 CVE published
September 6, 2024 Record updated