Impact
Meetings with polls are affected. The attacker is a meeting participant. The attacker can gain subscribe to the current-poll collection. This does not update the client UI, but gives the attacker access to the contents of the collection, which include the individual poll responses.
Workarounds
No workarounds.
References
Enforce permission check, allowing only allowed users to access the collection current-poll.
Patch in BigBlueButton 2.4.0 | #13866
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.
Impact
Meetings with polls are affected. The attacker is a meeting participant. The attacker can gain subscribe to the
current-pollcollection. This does not update the client UI, but gives the attacker access to the contents of the collection, which include the individual poll responses.Workarounds
No workarounds.
References
Enforce permission check, allowing only allowed users to access the collection
current-poll.Patch in BigBlueButton 2.4.0 | #13866
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.