CVE-2022-41962

LOW

BigBlueButton < 2.4-rc-6 and 2.5-alpha-1 - Authenticated Incorrect Authorization in Emoji Status Feature

Title source: llm
STIX 2.1

Description

BigBlueButton is an open source web conferencing system. Versions prior to 2.4-rc-6, and 2.5-alpha-1 contain Incorrect Authorization for setting emoji status. A user with moderator rights can use the clear status feature to set any emoji status for other users. Moderators should only be able to set none as the status of other users. This issue is patched in 2.4-rc-6 and 2.5-alpha-1There are no workarounds.

References (3)

Core 3
Core References
Patch, Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-88qf-33qm-9mm7
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.4-rc-6
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/bigbluebutton/bigbluebutton/releases/tag/v2.5-alpha-1

Scores

CVSS v3 2.7
EPSS 0.0066
EPSS Percentile 46.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-863
Status published
Products (2)
bigbluebutton/bigbluebutton 2.4 alpha1 (10 CPE variants)
bigbluebutton/bigbluebutton < 2.4
Published Dec 16, 2022
Tracked Since Feb 18, 2026