CVE-2020-27603

HIGH

BigBlueButton <2.2.27 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-27603. PoCs published by hannob.

AI-analyzed exploit summary This repository contains a writeup and proof-of-concept ODT files demonstrating a file exfiltration vulnerability in LibreOffice when used in server-side rendering contexts like Big Blue Button. The vulnerability allows exfiltration of files via crafted ODT documents.

Description

BigBlueButton before 2.2.27 has an unsafe JODConverter setting in which LibreOffice document conversions can access external files.

Exploits (1)

nomisec WRITEUP 3 stars
by hannob · poc
https://github.com/hannob/CVE-2020-27603-bbb-libreoffice-poc

This repository contains a writeup and proof-of-concept ODT files demonstrating a file exfiltration vulnerability in LibreOffice when used in server-side rendering contexts like Big Blue Button. The vulnerability allows exfiltration of files via crafted ODT documents.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: LibreOffice (used in Big Blue Button)
No auth needed
Prerequisites: Access to a system using LibreOffice for server-side rendering (e.g., Big Blue Button)
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 7.5
EPSS 0.0293
EPSS Percentile 85.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

Status published
Products (1)
bigbluebutton/bigbluebutton < 2.2.27
Published Oct 21, 2020
Tracked Since Feb 18, 2026