CVE-2020-12112

HIGH

BigBlueButton < 2.2.5 - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-12112. PoCs published by tchenu.

AI-analyzed exploit summary This repository documents CVE-2020-12112, a Local File Inclusion (LFI) vulnerability in BigBlueButton versions below 2.2.4. The vulnerability arises from improper path concatenation in the `getDownloadablePresentationFile` method, allowing attackers to access sensitive files via path traversal.

Description

BigBlueButton before 2.2.5 allows remote attackers to obtain sensitive files via Local File Inclusion.

Exploits (1)

nomisec WRITEUP 14 stars
by tchenu · poc
https://github.com/tchenu/CVE-2020-12112

This repository documents CVE-2020-12112, a Local File Inclusion (LFI) vulnerability in BigBlueButton versions below 2.2.4. The vulnerability arises from improper path concatenation in the `getDownloadablePresentationFile` method, allowing attackers to access sensitive files via path traversal.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: BigBlueButton < 2.2.4
No auth needed
Prerequisites: Valid presentation download URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Third Party Advisory x_refsource_misc
https://twitter.com/bigbluebutton/status/1252706369486180353
Patch, Third Party Advisory x_refsource_misc
https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.4...v2.2.5
Third Party Advisory x_refsource_misc
https://cwe.mitre.org/data/definitions/23.html
Exploit, Third Party Advisory x_refsource_misc
https://github.com/tchenu/CVE-2020-12112

Scores

CVSS v3 7.5
EPSS 0.0908
EPSS Percentile 92.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-22
Status published
Products (1)
bigbluebutton/bigbluebutton < 2.2.5
Published Apr 23, 2020
Tracked Since Feb 18, 2026