Impact
The moderators-only webcams lock setting was not enforced on the backend, which allowed the attacker to subscribe to viewers' webcams, even when the lock setting was applied. (The required streamId was being sent to all users even with lock setting applied).
Patches
v2.4-rc-6 (release)
v2.5-alpha-1 (release)
Workarounds
No Workarounds.
References
#13790
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.
Impact
The moderators-only webcams lock setting was not enforced on the backend, which allowed the attacker to subscribe to viewers' webcams, even when the lock setting was applied. (The required streamId was being sent to all users even with lock setting applied).
Patches
v2.4-rc-6 (release)
v2.5-alpha-1 (release)
Workarounds
No Workarounds.
References
#13790
For more information
If you have any questions or comments about this advisory:
Email us at security at bigbluebutton.org
Credits
We thank Nico Heitmann, Sven Hebrok, and Juraj Somorovsky from Paderborn University who examined the BigBlueButton code base and responsibly disclosed this vulnerability.