1 comment

[ 4.1 ms ] story [ 11.1 ms ] thread
BigBlueButton prior to 2.2.7 is vulnerable to file disclosure and Server-Side Request Forgery attack. An authenticated user who is participants of a web conference and has an appropriate permission or privilege to upload the presentation can access internal system files via file upload and also conduct SSRF attacker via crafted URL in xlink filed.