CVE-2020-25820

MEDIUM

Bigbluebutton < 2.2.27 - SSRF

Title source: rule

Description

BigBlueButton before 2.2.7 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.

Exploits (1)

exploitdb WORKING POC

by RedTeam Pentesting GmbH · textwebappsmultiple

https://www.exploit-db.com/exploits/49070

View Code ZIP pw:eip

References (5)

[Third Party Advisory] https://www.redteam-pentesting.de/advisories/rt-sa-2020-005

[Exploit, Third Party Advisory] https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html

[Exploit, Third Party Advisory] http://packetstormsecurity.com/files/159667/BigBlueButton-2.2.25-File-Disclosure-Server-Side-Request-Forgery.html

[Patch, Third Party Advisory] https://github.com/bigbluebutton/bigbluebutton/commit/71fe1eac1e5bd73a2cd44bd79c001086b250e435

[Release Notes, Third Party Advisory] https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.26...v2.2.27

Scores

CVSS v3 6.5

EPSS 0.0395

EPSS Percentile 88.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-918

Status published

Products (1)

bigbluebutton/bigbluebutton < 2.2.27

Published Oct 21, 2020

Tracked Since Feb 18, 2026