Vulnerability Description
web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.
CVSS Score
5.3
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bigbluebutton | Bigbluebutton | < 2.2.29 |
Related Weaknesses (CWE)
References
- https://github.com/bigbluebutton/bigbluebutton/commit/5c911ddeec4493f40f42e2f137PatchThird Party Advisory
- https://github.com/bigbluebutton/bigbluebutton/commit/e59bcd0c33a6a3203c011faa88PatchThird Party Advisory
- https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29Release NotesThird Party Advisory
- https://github.com/bigbluebutton/bigbluebutton/issues/10818Third Party Advisory
- https://github.com/bigbluebutton/bigbluebutton/commit/5c911ddeec4493f40f42e2f137PatchThird Party Advisory
- https://github.com/bigbluebutton/bigbluebutton/commit/e59bcd0c33a6a3203c011faa88PatchThird Party Advisory
- https://github.com/bigbluebutton/bigbluebutton/compare/v2.2.28...v2.2.29Release NotesThird Party Advisory
- https://github.com/bigbluebutton/bigbluebutton/issues/10818Third Party Advisory
FAQ
What is CVE-2020-28954?
CVE-2020-28954 is a vulnerability with a CVSS score of 5.3 (MEDIUM). web/controllers/ApiController.groovy in BigBlueButton before 2.2.29 lacks certain parameter sanitization, as demonstrated by accepting control characters in a user name.
How severe is CVE-2020-28954?
CVE-2020-28954 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-28954?
Check the references section above for vendor advisories and patch information. Affected products include: Bigbluebutton Bigbluebutton.