CVE-2020-26163

Опубликовано: 30 сент. 2020

Источник: nvd

CVSS3: 8.8

CVSS2: 6.8

EPSS Низкий

Описание

BigBlueButton Greenlight before 2.5.6 allows HTTP header (Host and Origin) attacks, which can result in Account Takeover if a victim follows a spoofed password-reset link.

Ссылки

https://github.com/bigbluebutton/greenlight/pull/1543
Patch
Third Party Advisory
https://github.com/bigbluebutton/greenlight/releases/tag/release-2.5.6
Third Party Advisory
https://www.sakshamanand.com/host-header-injection-bigbluebutton/
Exploit
Third Party Advisory
https://github.com/bigbluebutton/greenlight/pull/1543
Patch
Third Party Advisory
https://github.com/bigbluebutton/greenlight/releases/tag/release-2.5.6
Third Party Advisory
https://www.sakshamanand.com/host-header-injection-bigbluebutton/
Exploit
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:bigbluebutton:greenlight:*:*:*:*:*:*:*:*

Версия до 2.5.6 (исключая)

EPSS

Процентиль: 66%

0.0051

Низкий

8.8 High

CVSS3

6.8 Medium

CVSS2

Дефекты

NVD-CWE-Other

Связанные уязвимости

GHSA-5wp7-85p7-qq6v

github

больше 3 лет назад