Wednesday, October 21, 2020
BigBlueButton 2.2.25 File Disclosure / Server-Side Request Forgery
RedTeam Pentesting discovered a vulnerability in the BigBlueButton web conferencing system version 2.2.25 that allows participants of a conference with permissions to upload presentations to read arbitrary files from the file system and perform server-side requests. This leads to administrative access to the BigBlueButton instance. BigBlueButton 2.2.25 File Disclosure / Server-Side Request Forgery