CVE-2020-27604 | Date: (C)2020-10-22 (M)2023-12-22 |
BigBlueButton before 2.3 does not implement LibreOffice sandboxing. This might make it easier for remote authenticated users to read the API shared secret in the bigbluebutton.properties file. With the API shared secret, an attacker can (for example) use api/join to join an arbitrary meeting regardless of its guestPolicy setting.
CVSS Score and Metrics +CVSS Score and Metrics -CVSS V3 Severity: | CVSS V2 Severity: |
CVSS Score : 6.5 | CVSS Score : 4.0 |
Exploit Score: 2.8 | Exploit Score: 8.0 |
Impact Score: 3.6 | Impact Score: 2.9 |
|
CVSS V3 Metrics: | CVSS V2 Metrics: |
Attack Vector: NETWORK | Access Vector: NETWORK |
Attack Complexity: LOW | Access Complexity: LOW |
Privileges Required: LOW | Authentication: SINGLE |
User Interaction: NONE | Confidentiality: PARTIAL |
Scope: UNCHANGED | Integrity: NONE |
Confidentiality: HIGH | Availability: NONE |
Integrity: NONE | |
Availability: NONE | |
| |