Impact
BigBlueButton 2.5 is vulnerable to a path traversal vulnerability, that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png).
Patches
Input validation was added on the parameters being passed and dangerous characters are stripped.
Patch on BigBlueButton 2.6.0-beta.1: #15960
Workarounds
There are no workarounds. We recommend upgrading to a patched version of BigBlueButton.
References
Credits
Abdulmohsen Alotaibi who contacted us via huntr.dev and responsibly disclosed this vulnerability.
Impact
BigBlueButton 2.5 is vulnerable to a path traversal vulnerability, that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png).
Patches
Input validation was added on the parameters being passed and dangerous characters are stripped.
Patch on BigBlueButton 2.6.0-beta.1: #15960
Workarounds
There are no workarounds. We recommend upgrading to a patched version of BigBlueButton.
References
Credits
Abdulmohsen Alotaibi who contacted us via huntr.dev and responsibly disclosed this vulnerability.