CVE-2020-25820 - BigBlueButton before 2.2.27 allows remote authenticated users to read loc - CVEs Blog

BigBlueButton before 2.2.27 allows remote authenticated users to read local files and conduct SSRF attacks via an uploaded Office document that has a crafted URL in an ODF xlink field.

Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25820

Reference (s):

http://packetstormsecurity.com/files/159667/BigBlueButton-2.2.25-File-Disclosure-Server-Side-Request-Forgery.html
https://github.com/bigbluebutton/bigbluebutton/commit/71fe1eac1e5bd73a2cd44bd79c001086b250e435
https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.26 v2.2.27
https://www.golem.de/news/big-blue-button-das-grosse-blaue-sicherheitsrisiko-2010-151610.html
https://www.redteam-pentesting.de/advisories/rt-sa-2020-005

CVE-2020-25820 – BigBlueButton before 2.2.27 allows remote authenticated users to read loc

Something Fresh

CVE-2004-1715 - Directory traversal vulnerability in MIMEsweeper for Web before 5.0.4 all

CVE-2020-27216 - In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 1

CVE-2020-27212 - STMicroelectronics STM32L4 devices through 2020-10-19 have incorrect acce

What People Reading

CVE-2015-0320 - Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and

CVE-2015-0353 - Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.

CVE-2004-1715 - Directory traversal vulnerability in MIMEsweeper for Web before 5.0.4 all

CVE-2020-27207 - Zetetic SQLCipher 4.x before 4.4.1 has a use-after-free, related to sqlci

CVE-2020-27158 - Addressed remote code execution vulnerability in cgi_api.php that allowed

Categories

Partners

Just add here your partners image or promo text