BigBlueButton CVE Vulnerabilities & CVE List (55)

Products (CPE): — CVEs: 55

BigBlueButton vulnerability overview

Aggregates CVE and security vulnerability intelligence across all BigBlueButton-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.

Historical issues mainly involve vendor risk cross-site scripting, vendor risk ssrf, vendor risk open redirect, and vendor risk input validation and related problems; some flaws may lead to vendor impact file overwrite.

Vulnerability distribution trend (last 24 months)

Showing 2140 of 55 CVEs
CVE Summary Source Max CVSS EPSS % Published Updated
CVE-2020-27602 BigBlueButton before 2.2.7 does not have a protection mechanism for separator injection in meetingId, userId, and authToken. [email protected] 9.8 1.39% 2022-09-28 2026-06-16
CVE-2020-27601 In BigBlueButton before 2.2.7, lockSettingsProps.disablePrivateChat does not apply to already opened chats. This occurs in bigbluebutton-html5/imports/ui/components/chat/service.js. [email protected] 3.5 0.77% 2022-09-28 2026-06-16
CVE-2022-31065 BigBlueButton is an open source web conferencing system. In affected versions an attacker can embed malicious JS in their username and have it executed on the victim's client. When a user receives a private chat from the attacker (whose username contains malicious JavaScript), the script gets executed. Additionally when the victim receives a notification that the attacker has left the session. This issue has been patched in version 2.4.8 and 2.5.0. There are no known workarounds for this issue. [email protected] 6.5 0.72% 2022-06-27 2026-06-17
CVE-2022-31064 BigBlueButton is an open source web conferencing system. Users in meetings with private chat enabled are vulnerable to a cross site scripting attack in affected versions. The attack occurs when the attacker (with xss in the name) starts a chat. in the victim's client the JavaScript will be executed. This issue has been addressed in version 2.4.8 and 2.5.0. There are no known workarounds for this issue. [email protected] 6.5 1.18% 2022-06-27 2026-06-17
CVE-2022-31039 Greenlight is a simple front-end interface for your BigBlueButton server. In affected versions an attacker can view any room's settings even though they are not authorized to do so. Only the room owner and administrator should be able to view a room's settings. This issue has been patched in release version 2.12.6. [email protected] 4.3 0.56% 2022-06-27 2026-06-17
CVE-2022-27238 BigBlueButton version 2.4.7 (or earlier) is vulnerable to stored Cross-Site Scripting (XSS) in the private chat functionality. A threat actor could inject JavaScript payload in his/her username. The payload gets executed in the browser of the victim each time the attacker sends a private message to the victim or when notification about the attacker leaving room is displayed. [email protected] 5.4 0.38% 2022-06-24 2026-06-17
CVE-2022-26497 BigBlueButton Greenlight 2.11.1 allows XSS. A threat actor could have a username containing a JavaScript payload. The payload gets executed in the browser of the victim in the "Share room access" dialog if the victim has shared access to the particular room with the attacker previously. [email protected] 5.4 0.78% 2022-06-02 2026-06-17
CVE-2022-29236 BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker can circumvent access restrictions for drawing on the whiteboard. The permission check is inadvertently skipped on the server, due to a previously introduced grace period. The attacker must be a meeting participant. The problem has been patched in versions 2.3.18 and 2.4-rc-6. There are currently no known workarounds. [email protected] 4.3 0.79% 2022-06-01 2026-06-17
CVE-2022-29235 BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4-rc-6, an attacker who is able to obtain the meeting identifier for a meeting on a server can find information related to an external video being shared, like the current timestamp and play/pause. The problem has been patched in versions 2.3.18 and 2.4-rc-6 by modifying the stream to send the data only for users in the meeting. There are currently no known workarounds. [email protected] 5.3 0.95% 2022-06-01 2026-06-17
CVE-2022-29234 BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s any lock setting in the meeting was changed. The attacker needs to be a participant in the meeting. Versions 2.3.18 and 2.4.1 contain a patch for this issue. There are currently no known workarounds. [email protected] 4.3 0.76% 2022-06-01 2026-06-17
CVE-2022-29233 BigBlueButton is an open source web conferencing system. In BigBlueButton starting with 2.2 but before 2.3.18 and 2.4-rc-1, an attacker can circumvent access controls to gain access to all breakout rooms of the meeting they are in. The permission checks rely on knowledge of internal ids rather than on verification of the role of the user. Versions 2.3.18 and 2.4-rc-1 contain a patch for this issue. There are currently no known workarounds. [email protected] 4.3 0.96% 2022-06-01 2026-06-17
CVE-2022-29232 BigBlueButton is an open source web conferencing system. Starting with version 2.2 and prior to versions 2.3.9 and 2.4-beta-1, an attacker can circumvent access controls to obtain the content of public chat messages from different meetings on the server. The attacker must be a participant in a meeting on the server. BigBlueButton versions 2.3.9 and 2.4-beta-1 contain a patch for this issue. There are currently no known workarounds. [email protected] 6.5 0.96% 2022-06-01 2026-06-17
CVE-2022-29169 BigBlueButton is an open source web conferencing system. Versions starting with 2.2 and prior to 2.3.19, 2.4.7, and 2.5.0-beta.2 are vulnerable to regular expression denial of service (ReDoS) attacks. By using specific a RegularExpression, an attacker can cause denial of service for the bbb-html5 service. The useragent library performs checking of device by parsing the input of User-Agent header and lets it go through lookupUserAgent() (alias of useragent.lookup() ). This function handles input [email protected] 7.5 1.42% 2022-06-01 2026-06-17
CVE-2021-4143 Cross-site Scripting (XSS) - Generic in GitHub repository bigbluebutton/bigbluebutton prior to 2.4.0. [email protected] 6.1 0.89% 2022-01-19 2026-06-17
CVE-2020-29043 An issue was discovered in BigBlueButton through 2.2.29. When at attacker is able to view an account_activations/edit?token= URI, the attacker can create an approved user account associated with an email address that has an arbitrary domain name. [email protected] 7.5 1.43% 2020-11-26 2026-06-16
CVE-2020-29042 An issue was discovered in BigBlueButton through 2.2.29. A brute-force attack may occur because an unlimited number of codes can be entered for a meeting that is protected by an access code. [email protected] 3.7 1.06% 2020-11-26 2026-06-16
CVE-2020-28954 web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name. [email protected] 5.3 1.23% 2020-11-19 2026-06-16
CVE-2020-28953 In BigBlueButton before 2.2.29, a user can vote more than once in a single poll. [email protected] 4.3 0.69% 2020-11-19 2026-06-16
CVE-2020-27642 A cross-site scripting (XSS) vulnerability exists in the 'merge account' functionality in admins.js in BigBlueButton Greenlight 2.7.6. [email protected] 6.1 0.67% 2020-10-22 2026-06-16
CVE-2020-27613 The installation procedure in BigBlueButton before 2.2.28 (or earlier) uses ClueCon as the FreeSWITCH password, which allows local users to achieve unintended FreeSWITCH access. [email protected] 8.4 0.27% 2020-10-21 2026-06-16
cvelogic Threat Intelligence