Description
web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.
References (4)
Core 4
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29
Patch, Third Party Advisory x_refsource_misc
https://github.com/bigbluebutton/bigbluebutton/commit/e59bcd0c33a6a3203c011faa8823ba2cac1e4f37
Third Party Advisory x_refsource_misc
https://github.com/bigbluebutton/bigbluebutton/issues/10818
Patch, Third Party Advisory x_refsource_misc
https://github.com/bigbluebutton/bigbluebutton/commit/5c911ddeec4493f40f42e2f137800ed4692004a4
Scores
CVSS v3
5.3
EPSS
0.0123
EPSS Percentile
65.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-116
Status
published
Products (1)
bigbluebutton/bigbluebutton
< 2.2.29
Published
Nov 19, 2020
Tracked Since
Feb 18, 2026