Impact
An attacker can circumvent access controls to obtain the content of public chat messages from different meetings on the server. The attacker must be a participant in a meeting on the server.
Patches
Patched on BigBlueButton 2.3.9 and higher.
Workarounds
No workarounds.
References
Patched on BigBlueButton 2.3 #12861 and included on BigBlueButton 2.4 as of BigBlueButton 2.4-beta-1.
For more information
If you have any questions or comments about this advisory:
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.
Impact
An attacker can circumvent access controls to obtain the content of public chat messages from different meetings on the server. The attacker must be a participant in a meeting on the server.
Patches
Patched on BigBlueButton 2.3.9 and higher.
Workarounds
No workarounds.
References
Patched on BigBlueButton 2.3 #12861 and included on BigBlueButton 2.4 as of BigBlueButton 2.4-beta-1.
For more information
If you have any questions or comments about this advisory:
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.