Impact
A user with moderator rights could use the feature of clear status to set any emoji status for other users.
Workarounds
No workaround.
References
We improved the permission checks, allowing moderators to only set as none the status of other users.
Patch in BigBlueButton 2.4-rc-6 | #13817
Patch in BigBlueButton 2.5-alpha-1 | #13262
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.
Impact
A user with moderator rights could use the feature of
clear statusto set any emoji status for other users.Workarounds
No workaround.
References
We improved the permission checks, allowing moderators to only set as
nonethe status of other users.Patch in BigBlueButton 2.4-rc-6 | #13817
Patch in BigBlueButton 2.5-alpha-1 | #13262
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.