CVE-2023-42803
Summary
| CVE | CVE-2023-42803 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2023-10-30 19:15:00 UTC |
| Updated | 2023-11-07 23:25:00 UTC |
| Description | BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.2 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures. BigBlueButton 2.6.0-beta.2 contains a patch. There are no known workarounds. |
Risk And Classification
Problem Types: CWE-434
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Bigbluebutton | Bigbluebutton | 2.6.0 | alpha1 | All | All |
| Application | Bigbluebutton | Bigbluebutton | 2.6.0 | alpha2 | All | All |
| Application | Bigbluebutton | Bigbluebutton | 2.6.0 | alpha3 | All | All |
| Application | Bigbluebutton | Bigbluebutton | 2.6.0 | alpha4 | All | All |
| Application | Bigbluebutton | Bigbluebutton | 2.6.0 | beta1 | All | All |
| Application | Bigbluebutton | Bigbluebutton | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Unrestricted File Upload · Advisory · bigbluebutton/bigbluebutton · GitHub | MISC | github.com | |
| fix (bbb-web): improvements on presentations upload by GuiLeme · Pull Request #15990 · bigbluebutton/bigbluebutton · GitHub | MISC | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.