Wednesday, October 21, 2020

BigBlueButton 2.2.25 File Disclosure / Server-Side Request Forgery

RedTeam Pentesting discovered a vulnerability in the BigBlueButton web conferencing system version 2.2.25 that allows participants of a conference with permissions to upload presentations to read arbitrary files from the file system and perform server-side requests. This leads to administrative access to the BigBlueButton instance.
BigBlueButton 2.2.25 File Disclosure / Server-Side Request Forgery
 

Copyright © 2020 Cyber Details - Vulnerability Database™

Thanks for everything Templateism - You should have written the code a little more complicated