Separator Injection Vulnerability in BigBlueButton by BigBlueButton Inc.
CVE-2020-27602

9.8CRITICAL

Key Information:

Vendor: Bigbluebutton
Status: Bigbluebutton
Vendor: CVE Published:; 29 September 2022

🔔 Create Bigbluebutton Vulnerability Alert

What is CVE-2020-27602?

BigBlueButton versions prior to 2.2.7 are susceptible to a separator injection vulnerability. This flaw occurs due to the lack of a protective mechanism in handling input values such as meetingId, userId, and authToken. Attackers could exploit this weakness to inject malicious data, potentially compromising session integrity and leading to unauthorized access within the application. Users are advised to upgrade to version 2.2.7 or later to mitigate the risks associated with this vulnerability.

References

https://github.com/bigbluebutton/bigbluebutton/compare/v2...

x_refsource_MISC

https://github.com/bigbluebutton/bigbluebutton/commit/4bf...

x_refsource_MISC

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 29, 2022
Vulnerability Reserved
Oct 21, 2020

CVE-2020-27602 Data

JSON