CVE-2020-28954

Опубликовано: 19 нояб. 2020

Источник: nvd

CVSS3: 5.3

CVSS2: 5

EPSS Низкий

Описание

web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.

Ссылки

https://github.com/bigbluebutton/bigbluebutton/commit/5c911ddeec4493f40f42e2f137800ed4692004a4
Patch
Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/commit/e59bcd0c33a6a3203c011faa8823ba2cac1e4f37
Patch
Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29
Release Notes
Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/issues/10818
Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/commit/5c911ddeec4493f40f42e2f137800ed4692004a4
Patch
Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/commit/e59bcd0c33a6a3203c011faa8823ba2cac1e4f37
Patch
Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29
Release Notes
Third Party Advisory
https://github.com/bigbluebutton/bigbluebutton/issues/10818
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:bigbluebutton:bigbluebutton:*:*:*:*:*:*:*:*

Версия до 2.2.29 (исключая)

EPSS

Процентиль: 59%

0.00383

Низкий

5.3 Medium

CVSS3

5 Medium

CVSS2

Дефекты

CWE-116

Связанные уязвимости

GHSA-w2p3-47c3-r8h2

github

больше 3 лет назад