CVE-2023-42804
LOWBigBlueButton < 2.6.0-beta.1 - Unauthenticated Path Traversal via File Extension Validation Bypass
Title source: llmDescription
BigBlueButton is an open-source virtual classroom. BigBlueButton prior to version 2.6.0-beta.1 has a path traversal vulnerability that allows an attacker with a valid starting folder path, to traverse and read other files without authentication, assuming the files have certain extensions (txt, swf, svg, png). In version 2.6.0-beta.1, input validation was added on the parameters being passed and dangerous characters are stripped. There are no known workarounds.
References (2)
Core 2
Core References
Third Party Advisory x_refsource_confirm
https://github.com/bigbluebutton/bigbluebutton/security/advisories/GHSA-3qjg-229m-vq84
Third Party Advisory x_refsource_misc
https://github.com/bigbluebutton/bigbluebutton/pull/15960
Scores
CVSS v3
3.1
EPSS
0.0046
EPSS Percentile
36.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (2)
bigbluebutton/bigbluebutton
2.6.0 alpha1 (4 CPE variants)
bigbluebutton/bigbluebutton
< 2.5.18
Published
Oct 30, 2023
Tracked Since
Feb 18, 2026