Skip to content

Improper access control to polling votes

Moderate
antobinary published GHSA-4qgc-xhw5-6qfg Dec 15, 2022

Package

bbb-html5 (BigBlueButton)

Affected versions

<2.4.0

Patched versions

2.4.0

Description

Impact

Meetings with polls are affected. The attacker is a meeting participant. The attacker can gain subscribe to the current-poll collection. This does not update the client UI, but gives the attacker access to the contents of the collection, which include the individual poll responses.

Workarounds

No workarounds.

References

Enforce permission check, allowing only allowed users to access the collection current-poll.

Patch in BigBlueButton 2.4.0 | #13866

For more information

If you have any questions or comments about this advisory:

Email us at security at bigbluebutton.org

Credits

We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2022-23490

Weaknesses

No CWEs