[RT-SA-2020-005] Arbitrary File Disclosure and Server-Side Request Forgery in BigBlueButton

Posted by RedTeam Pentesting GmbH on Oct 21

Advisory: Arbitrary File Disclosure and Server-Side Request Forgery in BigBlueButton

RedTeam Pentesting discovered a vulnerability in the BigBlueButton web
conferencing system which allows participants of a conference with
permissions to upload presentations to read arbitrary files from the
file system and perform server-side requests. This leads to
administrative access to the BigBlueButton instance.

Details
=======

Product: BigBlueButton…

If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.

Patreon

Original Source