Impact
BigBlueButton 2.5 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures.
Patches
Patch on BigBlueButton 2.6.0-beta.2: #15990
Workarounds
There are no workarounds. We recommend upgrading to a patched version of BigBlueButton.
References
Credits
Abdulmohsen Alotaibi who contacted us via huntr.dev and responsibly disclosed this vulnerability.
Impact
BigBlueButton 2.5 is vulnerable to unrestricted file upload, where the insertDocument API call does not validate the given file extension before saving the file, and does not remove it in case of validation failures.
Patches
Patch on BigBlueButton 2.6.0-beta.2: #15990
Workarounds
There are no workarounds. We recommend upgrading to a patched version of BigBlueButton.
References
Credits
Abdulmohsen Alotaibi who contacted us via huntr.dev and responsibly disclosed this vulnerability.