Impact
This vulnerability only affects release candidates of BigBlueButton 2.4. The attacker can start a subscription for poll results before starting an anonymous poll, and use this subscription to see individual responses in the anonymous poll. The attacker had to be a meeting presenter.
Workarounds
No Workarounds
References
The publisher was changed to only filter based on server data, based on poll type.
Patch in BigBlueButton 2.4.0 | #13866
Patch in BigBlueButton 2.5-alpha-1 | #14405
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.
Impact
This vulnerability only affects release candidates of BigBlueButton 2.4. The attacker can start a subscription for poll results before starting an anonymous poll, and use this subscription to see individual responses in the anonymous poll. The attacker had to be a meeting presenter.
Workarounds
No Workarounds
References
The publisher was changed to only filter based on server data, based on poll type.
Patch in BigBlueButton 2.4.0 | #13866
Patch in BigBlueButton 2.5-alpha-1 | #14405
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.