CVE-2023-42804 Information

Description

BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path to traverse and read other files without authentication assuming the files have certain extensions (txt swf svg png). In version 2.6.0-beta.1 input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds.

Reference

https://github.com/bigbluebutton/bigbluebutton/pull/15960 https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84